The Effect of Constraints on the Number of Viable Permutations of Passwords
Authors: Randy Abrams, Briana Butler

Date: August 7 2018
Publication: BSidesLV 2018
Source: Currently no known Internet copy of paper.

Abstract or Summary:
Typically the impact of constraints on the maximum number of permutations for a password is not considered much-the-less quantified. Password policies that require a minimum character length and mandate the use of lowercase letters, uppercase letters, numbers and symbols may reduce the number of viable passwords by more than 60% of the unconstrained character set. Mandating 12 character password length immediately eliminates 9511 potential passwords. Every combination of character constraints reduces the number of viable passwords even further. Websites with maximum character lengths and character set constraints can easily eliminate over 50% of the viable eight character password for the allowed and required character sets. In this paper we will quantify the effects of multiple combinations of constraints on 8, 12, and 16 character passwords, and provide the Python script used in our calculations and as a starting point for further analysis by others. Note: Video of presentation:

Do you have additional information to contribute regarding this research paper? If so, please email with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019