Why a 27 character password is less secure than an 8 character one

The Russians obviously did not read my earlier posts on why longer passwords are often less secure than shorter ones.
So they forced their agents to use a 27-character password which was easily retrieved by the FBI… since it was written on a piece of paper.

The time it takes to break a 27-character password: a few hours (going through the post-it notes and paper scraps)
The time it takes to break an 8-character password: 242 Days (assuming uppercase/lowercase letters only, brute forcing 10,000 passwords per second).

(via Bruce Schneier. Password recovery calculation time here)

  • Funtime

    Brute forcing 10,000 passwords per second (according to the pw recovery calculation you posted) is the equivalent of brute forcing a MS Office password protected file on a Pentium 100. You really need to consider the Class D attack, which is quoted as ‘Fast PC, Dual Processor PC’, and can crack closer to 10,000,000 passwords per second. Which quickly turns your 242 days into 348 minutes…which is a little under 6 hours.

  • http://www.BeyondSecurity.com Aviram

    @Funtime – this password is for logging into an application (at least, that’s how the article describes it). I don’t know many applications that can handle 10k logins per second, so I think even the “Class A attack” estimate is highly optimistic.

  • http://www.gamersanon.com Kahlid74

    I understand your point and where you are coming from and it’s a valid place, but this article is a Misnomer. A 27 character length password will ALWAYS be more secure than an 8 character one from a technical perspective.

    What you’re really talking about is social engineering, which I am 100% down with. Our parent company made our screens lock, which also hit machines running the manufacturing floor. Users on the floor wrote the passwords on the plastic rim of the monitors.

    I read your other posts too and I think you’re half right, half wrong. I don’t think that all of the security mechanisms we have are Security by obstruction because I believe that when they are used together in the right context, they can truly add additional security.

    The bottom line is users have to be socialy engineered to understand best practice security principals. We dealt with the password on the side of the monitors by using 10-23 character passwords that were actually phrases. They were and continue to be phrases related to the product but not easily understood by anyone who doesn’t work on the manufacturing floor.

    So yeah, I completely agree about social engineering, and how it typically negates all add-on security, but a 27 character password technically is ALWAYS more secure than an 8 character password.

  • brad

    I think randomly generated 27 character passwords are more secure than randomly generated 8 character passwords. The real question is a 27 character password written on a piece of paper sitting on the desk more secure than an eight character password in someone’s head?

  • http://www.BeyondSecurity.com Aviram

    @brad and @kahlid74 – as we all agree a 27 character password will ALWAYS be somewhere outside the person’s head. Note that if it is an easy to remember phrase it is no longer the strength of a 27 character password (it is a few dictionary words separated by spaces).

    So yes, an 8 character password will be kept in someone’s head vs a 27 character password that will be kept on a piece of paper or written on the monitor. Any way you look at it, the first is stronger than the second.

  • http://www.iweb-ftp.co.uk Sams ftp

    How can you have a standard commercial PC attempt that many passwords per second? Are we talking about online database attempts like blogs etc?

  • http://www.ridgeon-network.co.uk/ftp-hosting FTP Hosting

    he strength of a password is a function of length, complexity, and unpredictability.

  • Pingback: SecuriTeam Blogs » Simple passwords are the solution

  • Pingback: SecuriTeam Blogs » Forcing your users to write down their passwords