Question

Not having the computer echo the password is safer than having it echo an asterisk for each character typed, since the latter discloses the password length to anyone nearby who can see the screen. Assuming that passwords consist of upper and lower case letters and digits only, and that passwords must be a minimum of five characters and a maximum of eight characters, how much safer is not displaying anything?

Answer 1

Answer:

Up to 99.99958% safer

Explanation:

Assuming the attacker knows the password restrictions (upper and lower case letters and digits only)

Lets calculate the password combinations for each possible length:

Total characters possible: [a-z]+[A-Z]+[0-9] = 62

(A) Passwords of length = 8  ->  $62^8=218,340,105,584,896$

(B) Passwords of length = 7  ->  $62^7=3,521,614,606,208$

(C) Passwords of length = 6  ->  $62^6=56,800,235,584$

(D) Passwords of length = 5  ->  $62^5=916,132,832$

If length is not known, but between 5 and 8:

(E) Passwords of length = [5-8] ->  

$\sum_{5 \to 8} 62^{n} = \frac{62^9-62^5}{62-1}=221,919,436,559,520$

Finally, to compare how much safer is to keep the password length hidden, we'll calculate the percentage of (A) to (D) passwords against (E)

The formulas are:  

$1-\frac{(A)}{(E)} *100 = 1.61\% safer$

$1-\frac{(B)}{(E)} *100 = 98.41\% safer$

$1-\frac{(C)}{(E)} *100 = 99.97\% safer$

$1-\frac{(D)}{(E)} *100 = 99.99958\% safer$