Skip to content

How a tiny change to your password will make the “time to crack” jump from 2.4 days to 2.1 CENTURIES

View comments

April 1, 2010 |

Passwords are a pain.

As all of us move to creating games (or media) as a service, we need to think about how to help keep passwords secure for our users.

And because most people use the same passwords everywhere (say, for their online games, forums, and their bank), password strength is critical.

John Podzadides over at Life Hacker has this to say:

“Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

He made that stark difference even more clear in the chart below:

I think that it is important for all of us that we think about this on a personal level.

Professionally,though, I’m not so sure. I get annoyed with sites that force me to pick a “secure” password, especially if I don’t have a meaningful relationship with them yet. “Let me use a standard, easy to remember, low-strength password, if I want to,” is what I think.

But I do think you should let me people use lower AND uppercase letters. The few sites that don’t let me do that *really* annoy me.

What do you think? How much pressure should we put on our users to use secure passwords?

Related posts

Categorised in: Sandbox

Tagged in: ,

  • adam

    What we need is fewer websites using secure passwords, not more. We need far far fewer websites using passwords *at all*.

    It’s just a fetish that web designers have for making their website “more professional” – usually, they don’t care; they only want your email address anyway.

    And … My email address is more than password enough for the vast majority of sites – but most web developers are too ill-educated / ignorant about what an “identity” is to understand this.

    It’s getting to the point where any site that demands a secure password … I find an alternative provider of whatever service they’ve got.

    [Reply]

  • ChrisBateman

    Honestly, while encouraging people to construct strong passwords is obviously worthwhile, there must be a pragmatic nod-of-the-head to people's ability to remember passwords.

    What would help enormously would be if, rather than each site setting their own standards for password acceptance, there was a communal guideline for strong passwords that could be deployed as an “industry standard”. This would allow people to adopt one strong password and use it in multiple places. (Yes, I know it would be better if they had a password modified for each site, but this is beyond the limits of practicality in practice).

    Or, looking ahead, I don't see any reason a webcam can't be used to conduct face or fingerprint recognition. We could ditch the need for passwords altogether. :)

    [Reply]

  • Stan Beremski

    If websites that required your password only allowed you to input an entry every 10 seconds (or whatever) then you would render brute force attacks like the suggested by the Life Hacker useless.

    A 6 character password composed only of small letters has 26C6 combos = 230 230

    It would take 27 days to try all the possibilities if you tried once every ten seconds.

    [Reply]

Games Brief - name

Games Brief - description

nicholas@gamesbrief.com - admin_email

http://www.gamesbrief.com - url

http://www.gamesbrief.com - wpurl

http://www.gamesbrief.com/wp-content/themes/kitsonian - stylesheet_directory

http://www.gamesbrief.com/wp-content/themes/kitsonian/style.css - stylesheet_url

http://www.gamesbrief.com/wp-content/themes/kitsonian - template_directory

http://www.gamesbrief.com/wp-content/themes/kitsonian - template_url

http://www.gamesbrief.com/feed/atom/ - atom_url

http://www.gamesbrief.com/feed/ - rss2_url

http://www.gamesbrief.com/feed/rss/ - rss_url

http://www.gamesbrief.com/xmlrpc.php - pingback_url

http://www.gamesbrief.com/feed/rdf/ - rdf_url

http://www.gamesbrief.com/comments/feed/atom/ - comments_atom_url

http://gamesbrief.disqus.com/latest.rss - comments_rss2_url

UTF-8 - charset

text/html - html_type

en-US - language

ltr - text_direction

3.3.1 - version