I only said check it out, there is a lot of content there useful to the wider topic and the page clearly states what it is and isn't.
>>> IMPORTANT!!! What this calculator is NOT . . .
It is NOT a “Password Strength Meter.”
Since it could be easily confused for one, it is very important for you to understand what it is, and what it isn't:
The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase.
Okay. So what IS the “Search Space Calculator” ?
This calculator is designed to help users understand how many passwords can be created from different combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.) and password lengths. The calculator then puts the resulting large numbers (with lots of digits or large powers of ten) into a real world context of the time that would be required (assuming differing search speeds) to exhaustively search every password up through that length, assuming the use of the chosen alphabet.
How can I apply this to my daily life?
Answering that question is the reason this page exists. The whole point of using padded passwords is to adopt a much more you-friendly approach to password design. On June 1st, Leo Laporte and I recorded our weekly Security Now! podcast as part of Leo's TWiT.tv (This Week in Tech) audio and video podcasting network. You may download a shortened, 37-minute, excerpted version presenting the padded password and Haystack calculator concepts:
My point is that a "search space calculator" isn't useful. The only thing it will ever achieve is misleading people. Especially as that definition is also wrong, because the search space of a dictionary is achieved by counting words, not letters.
>>> IMPORTANT!!! What this calculator is NOT . . .
It is NOT a “Password Strength Meter.”
Since it could be easily confused for one, it is very important for you to understand what it is, and what it isn't:
The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second) as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether “Password” is the magic phrase.
Okay. So what IS the “Search Space Calculator” ? This calculator is designed to help users understand how many passwords can be created from different combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.) and password lengths. The calculator then puts the resulting large numbers (with lots of digits or large powers of ten) into a real world context of the time that would be required (assuming differing search speeds) to exhaustively search every password up through that length, assuming the use of the chosen alphabet.
How can I apply this to my daily life? Answering that question is the reason this page exists. The whole point of using padded passwords is to adopt a much more you-friendly approach to password design. On June 1st, Leo Laporte and I recorded our weekly Security Now! podcast as part of Leo's TWiT.tv (This Week in Tech) audio and video podcasting network. You may download a shortened, 37-minute, excerpted version presenting the padded password and Haystack calculator concepts: