Why isn't this password secure?

Posted on 2013-08-28
Medium Priority
Last Modified: 2013-08-29
You know the standard directives for generating a password - use a mixture of lower & upper case letters, numbers, and punctuation. (and longer is better, of course, but let's leave password length out of the picture for the moment. I'm just thinking of character selection)

I get the basic idea. If you use both upper & lower case letters instead of lowercase-only, you have 52 possibilities for each character instead of 26. That makes sense.

But wouldn't a lowercase password be less secure only if an attacker knew it was lowercase? If he didn't know that, he'd have no reason to constrain the character set used in a brute-force attack.

It's probably obvious by now that my cryptographic knowledge is minimal. This question's bugged me for years, though, so if someone could indulge me, I'd be appreciative.
Question by:IanJBlackburn

Expert Comment

ID: 39447187
An interesting article I read about securing passwords from brute force attacks:


Still, the most common way of obtaining your password is through social engineering or trojan horses.  Or if you use the same password everywhere and one less secure site is compromised.

Let us know your thoughts!

Author Comment

ID: 39447210
Thanks - I'm familiar with that cartoon (and routinely refer coworkers to it).

I'm still unclear on whether or not capitals, numerals, etc. really do affect a password's quality, though.

Accepted Solution

JohnKillilea earned 2000 total points
ID: 39447213
Hello IanJBlackburn

Yes you are correct, the attacker would need to know that it the password can contain only lowercase characters. However your security control would then be relying on the attacker not knowing this - a concept known as "Security through obscurity".

If the system was a public website, then the attacker could just create his own account and try out different passwords to identify the required complexity and then tailor his attack to this.

Hope that answers your question!
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

LVL 50

Expert Comment

by:Don Johnston
ID: 39447229
I think you're approaching this with the wrong mindset.

Try this:

To win a million dollars (or whatever your currency of choice is), all you have to do is select the correct 8 numbers.

If there are only 8 numbers to select from, you're a guaranteed winner. But if there are 16 numbers to pick from, it'll be a bit harder. And obviously, if there are 100 numbers to pick from, it'll be real difficult.

The point is, the more possible choices there are, the more difficult guessing the correct password is.

Expert Comment

ID: 39447236
The truth is, any added complexity in a password makes it increasing difficult to brute force.  That being said, the password (due to the fact that very few services allow more that failed login attempts per hours) is highly more likely to be aquired by other means.  When I say highly, I mean thousands of times more likely.  

If you want to think black and white then yes it does make a password slightly more secure.  But if you want to take in the complexity of the real world, understand that if I want to get your Experts Exchange password I'm more likely to con it off you then brute force the servers. (hence the enigmatic "Don't share your password with ANYONE" phrase).

Hopefully this clears it up for you.
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39447345
Two primary things affect the 'security' of a password.  #1 is the value of the information that can be obtained by having it and #2 is the complexity or possible combinations of characters that can be used in the password.  If there is no economic value to be obtained, then people won't try very hard to crack a password.  If there is $100 million dollars to be had, they will put in a lot of effort to crack it.

Author Comment

ID: 39449329
Thanks, all. I’m aware that the easiest way to get a password is to social-engineer it out of someone (or shoulder-surf, dumpster-dive, etc.).

And I do understand that added complexity results in stronger passwords. My question was more along the lines of this:

Let’s say an attacker has to take into account that there are 96 different characters someone might use for a password. From a brute-force perspective, these two ten-character strings should be equally secure, even though the first one uses only lowercase letters, and the second uses letters, numbers, and punctuation.


JohnKillilea correctly points out that this would be a “security through obscurity” approach, though, and that there are sometimes methods to determine a password’s complexity. So from that perspective, I guess it is a valid concept to use as broad a character set as possible.

Thanks again for the discussion, everyone!

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question