Why is the use of special characters in passwords considered a strong password?

Why special characters are required for a strong password.

Some websites request that a special character be entered as required to create a password.

Is there a technical reason?


source to share

3 answers

Sure. It takes a very long time to explain and surpass my humble ability, so you will need to read about the concept of entropy in information theory . A simpler explanation from Wikipedia :

Human passwords

Humans are known to shy away from achieving enough entropy to produce satisfactory passwords. Some magical sorcerers exploit this incapacity for entertainment, in a secondary way, by predicting an alleged random choice (number, for example) made by audience members.

Thus, in one analysis of over 3 million eight-character passwords, the letter "e" was used over 1.5 million times, while the letter "f" was used only 250,000 times. In an even distribution, each character would be used approximately 900,000 times. The most commonly used number is "1", while the most common are the letters a, e, o and r.

Users rarely make full use of large character sets when generating passwords. For example, hacking results using the MySpace phishing scheme in 2006 identified 34,000 passwords, of which only 8.3% used a mixed case, numbers and symbols.

Note that the full power of using the entire ASCII character set (numbers, mixed letters, and special characters) is only achieved when each character in the password is randomly selected from that set. Using a letter and adding one or two numbers and a special character to a password will not achieve the same power. If numbers and special characters are added in predictable ways, say at the beginning and end of a password, they can even lower the password level compared to a random password of all letters of the same length. NIST Special Publication 800-63

enter image description here

NIST Special Publication 800-63, June 2004, offers the following schema for roughly estimating the entropy of human-generated passwords: 2

The entropy of the first character is four bits;
The entropy of the next seven characters are two bits per character;
The ninth through the twentieth character has 1.5 bits of entropy per character;
Characters 21 and above have one bit of entropy per character.
A "bonus" of six bits is added if both upper case letters and non-alphabetic characters are used.
A "bonus" of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords of 20 characters or more do not receive this bonus because it is assumed they are pass-phrases consisting of multiple dictionary words.


Using this scheme, an eight-digit personal password without uppercase and non-alphabetic letters is estimated to be 18 bits of entropy. The NIST publication recognizes that, at the time of development, little information was available for choosing passwords in the real world.

enter image description here

More recent studies of the entropy of human-selected passwords using new available real-world data have demonstrated that the NIST scheme does not provide a reliable metric for estimating the entropy of human-selected passwords. Usability and implementation considerations

Because keyboards vary by country, not all 94 ASCII printable characters can be used everywhere. This can be a problem for an international traveler who would like to log into a remote system using the keyboard on the local computer. See Keyboard layout. Many handheld devices, such as tablet computers and smartphones, require complex shift sequences to enter special characters.

Authentication programs differ in the characters they allow in passwords. Some of them do not recognize the difference between cases (for example, uppercase "E" is considered equivalent to lowercase "e"), others prohibit certain other characters. Over the past few decades, systems have allowed more characters in passwords, but the restrictions still exist. Systems can also vary within the maximum length of allowed passwords.

or, in Layman terms: for every extra byte, you add more alphanumeric options, you make the passwords harder and harder to break.

More details here



1) if you only use symbols and numbers, you can use some words or numbers that can be easily guessed. Hackers have tools that try to use every known word repeatedly and quickly, and they try to do this before trying passwords with special characters

2), if you use only letters and numbers, the probability of guessing the symbol in any position is 1/62 (there are 62 possibilities).
If you use special characters ( there are 32 of them), the probability decreases to 1/94.
The total number of possible combinations that you can form if you enter, for example, 8 characters is a) if you do not use special characters: 62 ** 8 = 2.1834E + 14
b) if you use special characters: 94 ** 8 = 60.9569E + 14

Thus, there would be 30 times as many combinations using special characters, i.e. it would take about 30 times longer to crack a password with special characters than without it, since the password uses 8 characters



The main technical reason for this is difficult to guess, it is good practice to improve password security. When someone tries to use, they first try to do it using a dictionary attack, if you use a special character you can avoid this problem. For this reason, several organizations make password policies that include this rule for better security.



All Articles