Don't miss
  • 12
  • 6468
  • 6097
  • 20

How a tiny change to your password will make the “time to crack” jump from 2.4 days to 2.1 CENTURIES

By on April 1, 2010
Print Friendly

Passwords are a pain.

As all of us move to creating games (or media) as a service, we need to think about how to help keep passwords secure for our users.

And because most people use the same passwords everywhere (say, for their online games, forums, and their bank), password strength is critical.

John Podzadides over at Life Hacker has this to say:

“Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

He made that stark difference even more clear in the chart below:

I think that it is important for all of us that we think about this on a personal level.

Professionally,though, I’m not so sure. I get annoyed with sites that force me to pick a “secure” password, especially if I don’t have a meaningful relationship with them yet. “Let me use a standard, easy to remember, low-strength password, if I want to,” is what I think.

But I do think you should let me people use lower AND uppercase letters. The few sites that don’t let me do that *really* annoy me.

What do you think? How much pressure should we put on our users to use secure passwords?

About Nicholas Lovell

Nicholas is the founder of Gamesbrief, a blog dedicated to the business of games. It aims to be informative, authoritative and above all helpful to developers grappling with business strategy. He is the author of a growing list of books about making money in the games industry and other digital media, including How to Publish a Game and Design Rules for Free-to-Play Games, and Penguin-published title The Curve: thecurveonline.com
  • Stan Beremski

    If websites that required your password only allowed you to input an entry every 10 seconds (or whatever) then you would render brute force attacks like the suggested by the Life Hacker useless.

    A 6 character password composed only of small letters has 26C6 combos = 230 230

    It would take 27 days to try all the possibilities if you tried once every ten seconds.

  • ChrisBateman

    Honestly, while encouraging people to construct strong passwords is obviously worthwhile, there must be a pragmatic nod-of-the-head to people's ability to remember passwords.

    What would help enormously would be if, rather than each site setting their own standards for password acceptance, there was a communal guideline for strong passwords that could be deployed as an “industry standard”. This would allow people to adopt one strong password and use it in multiple places. (Yes, I know it would be better if they had a password modified for each site, but this is beyond the limits of practicality in practice).

    Or, looking ahead, I don't see any reason a webcam can't be used to conduct face or fingerprint recognition. We could ditch the need for passwords altogether. 🙂

  • adam

    What we need is fewer websites using secure passwords, not more. We need far far fewer websites using passwords *at all*.

    It’s just a fetish that web designers have for making their website “more professional” – usually, they don’t care; they only want your email address anyway.

    And … My email address is more than password enough for the vast majority of sites – but most web developers are too ill-educated / ignorant about what an “identity” is to understand this.

    It’s getting to the point where any site that demands a secure password … I find an alternative provider of whatever service they’ve got.