Why isn't this password secure?

You know the standard directives for generating a password - use a mixture of lower & upper case letters, numbers, and punctuation. (and longer is better, of course, but let's leave password length out of the picture for the moment. I'm just thinking of character selection)

I get the basic idea. If you use both upper & lower case letters instead of lowercase-only, you have 52 possibilities for each character instead of 26. That makes sense.

But wouldn't a lowercase password be less secure only if an attacker knew it was lowercase? If he didn't know that, he'd have no reason to constrain the character set used in a brute-force attack.

It's probably obvious by now that my cryptographic knowledge is minimal. This question's bugged me for years, though, so if someone could indulge me, I'd be appreciative.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

An interesting article I read about securing passwords from brute force attacks:


Still, the most common way of obtaining your password is through social engineering or trojan horses.  Or if you use the same password everywhere and one less secure site is compromised.

Let us know your thoughts!
IanJBlackburnAuthor Commented:
Thanks - I'm familiar with that cartoon (and routinely refer coworkers to it).

I'm still unclear on whether or not capitals, numerals, etc. really do affect a password's quality, though.
Hello IanJBlackburn

Yes you are correct, the attacker would need to know that it the password can contain only lowercase characters. However your security control would then be relying on the attacker not knowing this - a concept known as "Security through obscurity".

If the system was a public website, then the attacker could just create his own account and try out different passwords to identify the required complexity and then tailor his attack to this.

Hope that answers your question!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Don JohnstonInstructorCommented:
I think you're approaching this with the wrong mindset.

Try this:

To win a million dollars (or whatever your currency of choice is), all you have to do is select the correct 8 numbers.

If there are only 8 numbers to select from, you're a guaranteed winner. But if there are 16 numbers to pick from, it'll be a bit harder. And obviously, if there are 100 numbers to pick from, it'll be real difficult.

The point is, the more possible choices there are, the more difficult guessing the correct password is.
The truth is, any added complexity in a password makes it increasing difficult to brute force.  That being said, the password (due to the fact that very few services allow more that failed login attempts per hours) is highly more likely to be aquired by other means.  When I say highly, I mean thousands of times more likely.  

If you want to think black and white then yes it does make a password slightly more secure.  But if you want to take in the complexity of the real world, understand that if I want to get your Experts Exchange password I'm more likely to con it off you then brute force the servers. (hence the enigmatic "Don't share your password with ANYONE" phrase).

Hopefully this clears it up for you.
Dave BaldwinFixer of ProblemsCommented:
Two primary things affect the 'security' of a password.  #1 is the value of the information that can be obtained by having it and #2 is the complexity or possible combinations of characters that can be used in the password.  If there is no economic value to be obtained, then people won't try very hard to crack a password.  If there is $100 million dollars to be had, they will put in a lot of effort to crack it.
IanJBlackburnAuthor Commented:
Thanks, all. I’m aware that the easiest way to get a password is to social-engineer it out of someone (or shoulder-surf, dumpster-dive, etc.).

And I do understand that added complexity results in stronger passwords. My question was more along the lines of this:

Let’s say an attacker has to take into account that there are 96 different characters someone might use for a password. From a brute-force perspective, these two ten-character strings should be equally secure, even though the first one uses only lowercase letters, and the second uses letters, numbers, and punctuation.


JohnKillilea correctly points out that this would be a “security through obscurity” approach, though, and that there are sometimes methods to determine a password’s complexity. So from that perspective, I guess it is a valid concept to use as broad a character set as possible.

Thanks again for the discussion, everyone!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.