Passwords and encryption question

Put simply, the larger the character set used, the longer it takes to do a brute force crack of the password. If you just use letters, or even just lower case letters, your string would have to be longer to have the same security as if it used more varied characters.

Yes, seems logical. But why the requirement of letters and digits?
So, as an example,. If I use a password of 2 chars(to keep it simple)
say:
'!}' ASCII 33 and ASCII 125 would be harder to crack then 'AC' ASCII 65 and ASCII 67?

Because '!' and '}' have to be included in the try set. I'll put it a different way. Why is this loop?

for (int i = 0; i < 27; i++)
{
    for (int j = 0; j < 27; j++)
    {
        // Stuff
    }
}

Faster than this loop?

for (int i = 0; i < 127; i++)
{
    for (int j = 0; j < 127; j++)
    {
        // Stuff
    }
}

The same principle applies. The more you have to consider in what characters might be there, the longer it takes to actually identify them.

Yes, I completely understand your point. It makes it a little clearer to me. But why do some websites insist that my password HAS to have letters AND digits? Or do they not want to bother the average user with questions about also inputting control and punctuation chars and just keep it plain simple?

But why do some websites insist that my password HAS to have letters AND digits?

Mindless tradition, probably. For the longest time the bare minimum password policy was at least 8 characters including one upper case letter, one lower case letter, one number, and one special character.

These days a pass phrase is more secure due to its length, but many sites still have a character maximum and/or character combination checks that preclude a pass phrase. I can only assume it's because they follow "best practice" without putting any more thought into it.

Interesting thread. In Yahoo mail when you set the password you are not allowed to use the characters included in the username, no matter if you're using only one of those characters and this check is case insensitive. But they still want at least an uppercase character. In my opinion this solution is self-defeating because an attacker will know what characters can omit from the bruteforce.

For example, if the username is deceptikon we can exclude 18 characters: decptikon and DECPTIKON, if the minimum password length is 8, then it translates to:

((44^8) * 100) / (62^8)

Where 62 is a-zA-Z0-9. It means that, by excluding the known characters, the combinations to check can be reduced to 6.43% of the total, which is a huge difference. Not only this, but increasing the lenght, the range will continue to drop: with a length of 12, the combinations to check will be only 1.63% of the total (62^12), it will be always a big number of combinations, but why they exclude those characters, I don't see the logic of this decision. Or my observations are wrong?

EDIT
Ok, I'm probably wrong, because actually there's a condition: if you choose more than one character equal to the username, then the password cannot be used. So is much more complicated, but you still know that you can exclude all those combinations that include at least 2 of the username characters, if you apply this to a dictionary you can limit a lot the range.

Ahh passwords.

The larger the range of characters, the harder it is to crack a password. If you just use 0-9, that's 10^x possibility of passwords, where x is the length of the password.

The more variaty you add, the great the complexity.

Most passwords, when stored, are stored as hash values, a string of characters that can NOT be reversed, but is used to reference against. The only way a hash value can be figured out is doing something like rainbow tables. You'll have computers just running all posibilities of passwords, then hashing them and storing that hash. These hashes can be compared against those that are stored, and if a match is found, technically you password is cracked.

Now mix that in with the increased amount of possibilties (number and letters) and your hashed password just became that much hard to try and find a match for (of course having a salt also helps with this ... decreasing the effectivness of computed hash tables)

(hashing to me is very fascinating as well as security, my college degree is in Computer Science Security, with one of my last classes being a graduate class called applied crytography)

I should point out that when it all comes down to encryption, everything is treated as bites, so a capital letter is a different value then a lower case

Sorry, I didn't edit in time.

Edit 2

I'm probably wrong, because actually there are few conditions: capitalization matters, you cannot use characters of the name and if you choose more than one character from the username, then the password cannot be choosed. So it is much more complicated, but you still know that you can exclude all those combinations.

Going back to my corner to think è_é and sorry for the off-topic.

Thanks guys for clarifying!

LOL hopefully we didn't confuse you more (I realized I through out a bunch of stuff without really explaining it well like hashing)

@Ange1ofD4rkness: Thank you,but I have a good understanding of the concept of hashing. Perhaps you could write a tutorial about it and post it here?

@ddanbe, Alright, can thorw something together (well maybe write it up). I also plan to write a tutorial, or more a step by step, showing how QR Codes are made.