If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Math behind password security

Sal explains the ins and outs of creating stronger passwords to keep your personal information safe.

Want to join the conversation?

  • old spice man green style avatar for user Don Spence
    While a computer can generate 2B passwords a second, how many can it test on a real website (say, my bank) per second, and how many failures will the website tolerate before it suspends the account? And what about my user ID? Does that not also add a layer of special protection? We'll leave two factor authentication for another day.
    (7 votes)
    Default Khan Academy avatar avatar for user
    • leafers seed style avatar for user Dan Loewenherz
      While the scenario you mention can happen, it's pretty unlikely. The standard method by which passwords get cracked usually involves some variant of social engineering, which then leads to the entire database getting compromised. Most competently designed web applications will hash the plaintext password prior to database insertion. When you have the entire database sitting on your desktop, that's when you start pulling out something like hashcat, set a time limit per credential, and go row by row through the database, filling in the blanks with increasingly more complicated password schemes in each run-through.

      Sal's not quite correct in saying that a computer can generate 2B passwords / sec. Hash generation speed highly depends on the hashing algorithm that was used to generate the hashed password. Some algorithms, such as scrypt, or PBKDF2, are orders of magnitude slower than something like SHA256. Usage of multiple rounds, salts, etc., can make things even less generalizable.
      (14 votes)
  • aqualine seed style avatar for user Wesley Tian
    @, the number of possible passwords added when you add another character isn't 72, it's by a multiple of 72. Big difference.
    (6 votes)
    Default Khan Academy avatar avatar for user
  • hopper cool style avatar for user 💯 DaVinci 💯
    at sal confused me, shouldn't it be a multiple?
    (5 votes)
    Default Khan Academy avatar avatar for user
  • leafers ultimate style avatar for user roy.charlesalexandre
    I don't understand why, for example, using only numbers would be problematic because presumably, the computers that are programmed to crack your password are considering all possible combinations that a keyboard can generate.

    Unless they're designed to progress through tiers of complexity, starting with say, only numbers first, and then moving on to numbers + lowercase letters, and so on.
    (4 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user asherenyeart
      You can run programs that check only number combinations for a range of lengths. You can then run the same program on another processor, but also add letters. Now run the program on a third processor and add special characters. Or you can modify the numbers only program so that the first processor works the first third of possible number combinations, the second processor works the second third of possible number combinations, and the third processor works the last third of possible number combinations. But consider the fact that the number of possible answers for a single number in a numbers-only password is only 10. Adding lowercase, uppercase, and symbols increases this number to 95 possible answers.

      So, a fixed, 8 character, numbers-only password only has 100,000,000 (10^8) password possibilities while a fixed, 8 character, numbers, letters, and symbols password has 6,634,204,312,890,625 password possibilities. That's 66,342,043 times larger than the number of possibilities for a numbers-only password.

      Now consider that special "hashing rigs" are built with 8 GPUs that process these kinds of calculations much faster than a normal processor. They can crack an 8 character password in 48 minutes.
      (2 votes)
  • blobby green style avatar for user Susan VanHouten
    Where can I access student passwords to send home?
    (4 votes)
    Default Khan Academy avatar avatar for user
  • winston baby style avatar for user Carver Starkweather
    I don't know my stunts password
    (4 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Cathy Demanche
    I do not remember my student passwords. PLease advise
    (2 votes)
    Default Khan Academy avatar avatar for user
  • stelly blue style avatar for user cheskasflorentino
    Why do some apps which I know so well my password when I enter an email account says it is wrong ?
    (1 vote)
    Default Khan Academy avatar avatar for user

Video transcript

You've probably have had someone tell you the importance of having a strong password so that people can't break into your sensitive accounts. And they tell you some rules of thumb. They might tell you things like no words, where a word would be something in the dictionary or a proper noun, people's names, people's places, cities things like that. You'll also hear people, or people will tell you to use a variety of characters. Variety of characters. When they're talking about that they're saying don't just use numbers, don't just use lowercase letters, don't just use uppercase letter, don't just use special characters, use a combination of all of the above. So, for example, when you're talking about special characters, we're talking about things like the exclamation mark or the @ symbol or the hashtag. So, use that in combination with numbers in combination with upper and lowercase, upper and lowercase letters. The other that people will tell you is that the length of the password matters. So, longer, longer password is good. Now, what I want to do in this video is really appreciate why these, I guess we can say, rules of thumb matter. To think about that, we just have to think about how a password can be broken. So, if a human being is trying to snoop around. So, let's say this right over here is the thing that's trying to break the password. So, in this case it's a human being. What would they do? Well, they would just try out, they would try out password number one and maybe it doesn't work. Then they would try out password number two and then maybe it doesn't work. But they would just keep on doing that until maybe they get to password number, you know, maybe a human being could go up to a hundred. Maybe eventually they're able to find the password. It would surprise you how frequently people use passwords that could be guessed in this short a period of time because they use passwords like the word password or they use their username as their password or they use their password 12345 or 123456789. Or they use their date of birth, something that is very, very guessable. In that situation, even a human being might be able to try out in a reasonable amount of time and stumble upon the password. As you can imagine, human beings are not the only things that are trying to break into people's accounts. A malicious individual could write a malicious program that is trying to do this and programs are much, much faster at trying out all of the possibilities. But, you might say, hey, look, in the English language if you look up, you know, in the dictionary, there's roughly about 200, 200 thousand words. If you include proper nouns and different verb tenses and all of the rest, you're going into one million plus words. You might say, "Clearly a human being "couldn't try out all of these possibilities "and it probably would take a computer a long time." But you have to remember how incredibly fast computers are. Probably in your pocket, you have a smartphone or even maybe a not-so-smartphone. So, let me just make this clear. A computer and your phone, or most people's phones, are now computers. A computer can do in excess of two billion instructions per second. Instructions per second. This number is by Moore's Law, which you could look up as a fascinating dynamic in the computer industry, this is doubling every 18 months. So, even a fairly inexpensive phone can now do two billion instructions per second. It doesn't take that many instructions for them to try out a new password. So, you could imagine that a computer could actually try out all of these possibilities fairly quickly. There might be something slowing it down. It might take some time to test out the password or they might have to interact with some other system but it would not take a computer a long period of time. A computer does not get bored and a computer can be very, very, very, very persistent. Fair enough. So, now I've convinced you don't use words. Now, what about this whole idea of using a variety of characters? To think about why a variety of characters and, frankly, why longer passwords are good, we just have to break out a little bit of our high school mathematics. Remember a little bit about how many possible passwords or how the number of passwords increases as we use more characters and we make a longer password. So, for example, if you had a one character password, and you only use numbers, there would be 10 possibilities. The one character password, it could be, one, two, three, four, five, six, seven, eight, nine, or a zero. Now, if you had a two character password, so each of these little blanks I'm putting here is one of the characters. Then the first one could have 10 possibilities, the second one could have 10 possibilities. So, you have a total of 100 possibilities for a two character password that only uses numbers. Now, if you were to go all the way to an eight character password that uses only numbers. So, let's do that. So, three, four, five, six, seven, eight. I'm gonna take eight 10s and multiply them together which is the same thing, if we remind ourselves about what exponents mean, that's 10 to the eighth power. That is one followed by eight zeros. One, two, three, four, five, six, seven, eight. There's a hundred million possible passwords, eight digit passwords, where we are only using numbers. So, once again, you might feel pretty good about that but look at this number, two billion instructions per second for even a fairly inexpensive computer. We're not talking about a super computer or a whole bank of computers someplace. So, it's like, "Okay, I kind of see that." But, one thing you do appreciate immediately is every time that you add another character, even if you're limiting yourself only to the numbers, to the digits zero through nine, every time you increase a character, you're increasing the number of possible passwords by 10. So, if you have a ninth character, now, all of a sudden, there are going to be one billion possible passwords. So, that's why we have the idea that the longer the password, the better. Now, why does using a variety of characters help? Well, then there's more possibilities per character in this password. So, if you have an eight character password. So, that's four, five, six, seven, eight. And let's say you would extend it to letters and numbers. So, there's 26 letters and there's 10 numbers. So, that would be 36 possibilities for the first one, 36 for the second one, 36 for the third one, 36 for the fourth one, so on and so forth. And then you would multiply those 36s, which is gonna give you a much bigger number. Or if you were to even extend it even further. If you were to say, "Look, we have 10 numbers," or I guess we can say we have 10 digits. We have 10 digits. And there's actually more than 10 but let' say the easy to get to special characters right over here. So, we have 10 special characters, there's actually more at your disposal. 10 special characters. You have 26 lowercase letters and 26 uppercase. So, now if you use this as your arsenal for each of the characters of your password, that gives you total of, let's see. This is 52 plus 20. That gives you 72 possibilities for each of these blanks. And now things get much, much, they get big faster. You get more possibilities faster as you add more and more characters. So, for example, now we are talking about a scenario where every time you add a character, if you pick from an arsenal, from this arsenal, 72 times 72 times 72, every time you add a character, you get 72 times as many passwords. So, let's see, that's eight 72s. So, that's 72 to the eighth power. And I'm going to need a calculator for that one. That is 72 to the eighth power which gets us to, and I won't write this whole thing, roughly 7.2 times 10 to the 14th power. So, this is, let me write this, approximately 7.2 times 10 to the 14th power. Just to give you an idea of this. This is roughly a seven followed by, or, you know this is approximately a seven and then you have a two and then we have 13 more zeros. One, two, three, four, five, six, seven, eight, nine, 10, 11, 12, 13 zeros. So, now, we are dealing with, let's see, this is million, this is billion. 720 trillion possibilities. Is that right? This is million, billion, 720 trillion possibilities. So, when you expand it this way, you have now gotten, so if we divide that by a hundred million. So, let me do that just for fun. This is actually quite exciting. So, if you divide that by a hundred, that's a hundred thousand, so a hundred million. Let me make sure I got that right. One, two, three, four, five, six, seven, eight. Just by increasing your arsenal of characters, you have seven million more possible passwords. It would take someone or a computer seven million times longer to break your password in this situation, assuming it isn't one of the kind of the easy, low-hanging passwords to guess. And every time you add another character, it increases the number of passwords by 72. So, hopefully this gives you an appreciation why people give you these rules of thumb when you are selecting your password.