Back to Home

Password Strength: Calculations for Developers

The article breaks down the mathematical password strength with brute-force calculations, dictionary attack threats, and storage recommendations (Argon2, salt). For developers: throttling, 2FA, uniqueness. For users: passphrase and managers.

Password Strength Calculation: Why Length Matters Most
Advertisement 728x90

Password Strength Analysis: Calculations and Recommendations for Developers

Passwords remain the cornerstone of authentication due to their simplicity and user familiarity. A username identifies an account, while a password confirms knowledge of a secret. Despite alternatives like hardware keys, OTPs, biometrics, and WebAuthn, passwords still dominate low-friction login systems.

For example, WebAuthn uses asymmetric encryption: the private key stays on the device, and the server verifies the signature using the public key. Biometric data is stored locally—never sent to servers—minimizing exposure risks.

Real-World Security: Math Behind Brute Force Attacks

Every password can be cracked through brute force—but security hinges on economic impracticality. Let’s calculate attack times for different configurations.

Google AdInline article slot

A 5-digit PIN (10^5 = 100,000 combinations) takes seconds at 10 attempts/sec. With a botnet of 10,000 devices (100,000 attempts/sec), cracking a 5-character password from a 36-character alphabet (letters + digits) takes under 9 minutes.

Expanding the character set:

  • 62 characters (uppercase/lowercase + digits): 62^5 ≈ 916 million → ~2.5 hours with a botnet.
  • 95 characters (including special symbols): 95^5 ≈ 7.7 billion → ~21 hours.

Length is the key factor. For 8 characters from 95: 95^8 ≈ 6.6×10^15 → over 2,000 years at 100,000 attempts/sec. Even without special characters (62^8 ≈ 2.2×10^14) → ~70 years.

Google AdInline article slot

| Character Set | Length | Combinations | Time (100k/sec) |

|----------------|--------|--------------|----------------|

| 36 | 5 | 52 million | 9 minutes |

Google AdInline article slot

| 62 | 5 | 916 million | 2.5 hours |

| 95 | 5 | 7.7 billion | 21 hours |

| 62 | 8 | 218 trillion | 70 years |

| 95 | 8 | 6.6 quintillion | 2,000+ years |

Rate limiting is essential: request limits per IP force attackers to use distributed botnets, drastically increasing costs.

Dictionary Attacks and Common Patterns

Full brute force is inefficient against long passwords. The real threat? Dictionary attacks and credential stuffing.

Examples of weak passwords:

  • Qwertyuio1 — keyboard walk pattern.
  • Abcdefghi0 — sequential letters.
  • P@ssW0rD36 — leetspeak substitution.
  • Ghbdtn — QWERTY layout for "Hello" (in Russian).

Recommendation: Use passphrases made of 4–6 random words (from a 20,000-word dictionary: 20,000^4 = 1.6×10^17 combinations → tens of thousands of years to crack). Avoid quotes or predictable phrases; use separators like hyphens or spaces.

PIN codes (4 digits) aren’t secure due to entropy—they’re protected by attempt limits (3–10 tries) and hardware-based hash protection.

Developer Mistakes in Password Storage

Passwords should never be stored in plaintext. Instead, use strong hashing algorithms like bcrypt, Argon2, or scrypt. Common mistakes:

  • Storing passwords in plain text or using weak hashes like MD5/SHA-1.
  • Missing salt—making rainbow table attacks possible.
  • Weak hashing without sufficient iterations—enabling fast GPU cracking.
  • No rate limiting or CAPTCHA protections.
  • Ignoring credential stuffing checks—failing to verify if login pairs appear in breach databases (e.g., Have I Been Pwned?).

Best practices:

  • Use Argon2id with memory-hard parameters.
  • Assign a unique salt per user.
  • Implement rate limiting (e.g., 5 attempts per minute per IP).

Practical Recommendations

For users:

  • Use a unique password for each service.
  • Aim for ≥12 characters or a passphrase (4+ random words).
  • Use password managers:

* Local-only (KeePassXC): full control, manual sync.

* Cloud-based (Bitwarden): auto-sync, master password protection.

  • Enable 2FA (TOTP preferred—avoid SMS).

For developers:

  • Require passphrases or minimum 16-character passwords.
  • Hash with Argon2 (p=2, m=64MB, t=3).
  • Enforce rate limiting with exponential backoff.
  • Adopt Passkeys/WebAuthn in new systems.
  • Monitor for breaches using tools like Have I Been Pwned?

Key Takeaways

  • Length beats complexity: 95^8 offers far greater strength than 62^12.
  • Rate limiting + botnets = exponential cost increase for attackers.
  • Random word passphrases deliver >10^17 possible combinations.
  • Store only salted hashes using Argon2; plaintext = instant compromise.
  • Unique passwords prevent credential stuffing attacks.

— Editorial Team

Advertisement 728x90

Read Next