Password Strength Analysis: Calculations and Recommendations for Developers
Passwords remain the cornerstone of authentication due to their simplicity and user familiarity. A username identifies an account, while a password confirms knowledge of a secret. Despite alternatives like hardware keys, OTPs, biometrics, and WebAuthn, passwords still dominate low-friction login systems.
For example, WebAuthn uses asymmetric encryption: the private key stays on the device, and the server verifies the signature using the public key. Biometric data is stored locally—never sent to servers—minimizing exposure risks.
Real-World Security: Math Behind Brute Force Attacks
Every password can be cracked through brute force—but security hinges on economic impracticality. Let’s calculate attack times for different configurations.
A 5-digit PIN (10^5 = 100,000 combinations) takes seconds at 10 attempts/sec. With a botnet of 10,000 devices (100,000 attempts/sec), cracking a 5-character password from a 36-character alphabet (letters + digits) takes under 9 minutes.
Expanding the character set:
- 62 characters (uppercase/lowercase + digits): 62^5 ≈ 916 million → ~2.5 hours with a botnet.
- 95 characters (including special symbols): 95^5 ≈ 7.7 billion → ~21 hours.
Length is the key factor. For 8 characters from 95: 95^8 ≈ 6.6×10^15 → over 2,000 years at 100,000 attempts/sec. Even without special characters (62^8 ≈ 2.2×10^14) → ~70 years.
| Character Set | Length | Combinations | Time (100k/sec) |
|----------------|--------|--------------|----------------|
| 36 | 5 | 52 million | 9 minutes |
| 62 | 5 | 916 million | 2.5 hours |
| 95 | 5 | 7.7 billion | 21 hours |
| 62 | 8 | 218 trillion | 70 years |
| 95 | 8 | 6.6 quintillion | 2,000+ years |
Rate limiting is essential: request limits per IP force attackers to use distributed botnets, drastically increasing costs.
Dictionary Attacks and Common Patterns
Full brute force is inefficient against long passwords. The real threat? Dictionary attacks and credential stuffing.
Examples of weak passwords:
Qwertyuio1— keyboard walk pattern.Abcdefghi0— sequential letters.P@ssW0rD36— leetspeak substitution.Ghbdtn— QWERTY layout for "Hello" (in Russian).
Recommendation: Use passphrases made of 4–6 random words (from a 20,000-word dictionary: 20,000^4 = 1.6×10^17 combinations → tens of thousands of years to crack). Avoid quotes or predictable phrases; use separators like hyphens or spaces.
PIN codes (4 digits) aren’t secure due to entropy—they’re protected by attempt limits (3–10 tries) and hardware-based hash protection.
Developer Mistakes in Password Storage
Passwords should never be stored in plaintext. Instead, use strong hashing algorithms like bcrypt, Argon2, or scrypt. Common mistakes:
- Storing passwords in plain text or using weak hashes like MD5/SHA-1.
- Missing salt—making rainbow table attacks possible.
- Weak hashing without sufficient iterations—enabling fast GPU cracking.
- No rate limiting or CAPTCHA protections.
- Ignoring credential stuffing checks—failing to verify if login pairs appear in breach databases (e.g., Have I Been Pwned?).
Best practices:
- Use Argon2id with memory-hard parameters.
- Assign a unique salt per user.
- Implement rate limiting (e.g., 5 attempts per minute per IP).
Practical Recommendations
For users:
- Use a unique password for each service.
- Aim for ≥12 characters or a passphrase (4+ random words).
- Use password managers:
* Local-only (KeePassXC): full control, manual sync.
* Cloud-based (Bitwarden): auto-sync, master password protection.
- Enable 2FA (TOTP preferred—avoid SMS).
For developers:
- Require passphrases or minimum 16-character passwords.
- Hash with Argon2 (p=2, m=64MB, t=3).
- Enforce rate limiting with exponential backoff.
- Adopt Passkeys/WebAuthn in new systems.
- Monitor for breaches using tools like Have I Been Pwned?
Key Takeaways
- Length beats complexity: 95^8 offers far greater strength than 62^12.
- Rate limiting + botnets = exponential cost increase for attackers.
- Random word passphrases deliver >10^17 possible combinations.
- Store only salted hashes using Argon2; plaintext = instant compromise.
- Unique passwords prevent credential stuffing attacks.
— Editorial Team
No comments yet.