Thomas Gassmann (ETH)

Keeping password length secret

2023-08-25 - 2 min read

Note that these are only some rough calculations based on a set of strong assumptions. The same is not going to hold for techniques other than brute force.

I was recently having a discussion about password inputs! Most password fields out there mask their characters, i.e. they display "********" instead of "password". However, in some project I was involved there was a requirement to mask the input such that it would always display a static number of masked characters. I thought that would be quite unintuitive and questioned the benefit of it. But apparently, there are also some well-known applications that are doing this. This made me wonder how much easier it would be to guess a password if you already knew its length.

Let's assume a very basic brute force approach. Let r(n,m)r(n,m) be the ratio of possible passwords you can eliminate from your search, with nn being the password length and mm being the number of possible characters.

r(n,m)=i=1n1mimn=mn1m11mn=mnmmn(m1)=1m1nm1\begin{align*} r(n, m) & = \frac{\sum_{i=1}^{n-1} m^i}{m^n}\\ & = \frac{\frac{m^n - 1}{m - 1} - 1}{m^n}\\ & = \frac{m^n - m}{m^n(m - 1)}\\ & = \frac{1 - m^{1-n}}{m - 1} \end{align*}

Now, if we assume that m,n2m, n \geq 2 (notice that m1nm^{1-n} is strictly decreasing in [2,)×[2,)[2, \infty) \times [2, \infty)):

12(m1)1m1nm11m1\frac{1}{2(m - 1)} \leq \frac{1 - m^{1-n}}{m - 1} \leq \frac{1}{m - 1}

One interesting observation here is the following: even if your password was infinitely long, an attacker would still get some benefit from knowing the length of your password, the benefit of which at this point only depends on the number of characters that are allowed.

In practice, we can almost always assume that m62m \geq 62 (26 lower-case, 26 upper-case, 10 digit characters), which gives us the following bounds:

[1122,161][0.008197,0.016393]\left[ \frac{1}{122}, \frac{1}{61} \right] \approx \left[ 0.008197, 0.016393 \right]

i.e. even in the worst-case scenario, an attacker would only have approx. 1.63% fewer options to try.