How many possible passwords are there?

Most people ask this at one time or another, worried that programs like Crack will eventually grow in power until they can do a completely exhaustive search of all possible passwords, to break into a specific users' account - usually root.

If (to simplify the maths) we make the assumptions that:

  1. Valid passwords are created from a set of 62 chars [A-Za-z0-9]
  2. Valid passwords are to be between 5 and 8 chars long
Then the size of the set of all valid passwords is: (in base 62)

				   100000 +
				  1000000 +
				 10000000 +
				100000000 =
				---------
				111100000	(base 62)
A figure which is far too large to usefully undertake an exhaustive search with current technologies. Don't forget, however, that passwords CAN be made up with even more characters then this; you can use , all the punctuation characters, and symbols (~<>|\#$%^&*) too. If you can use some of all the 95 non-control characters in passwords, this increases the search space for a cracker to cover even further.

However, it's still MUCH more efficient for a cracker to get a copy of "Crack", break into ANY account on the system (you only need one), log onto the machine, and spoof his way up to root priviledges via operating systems holes.

Take comfort from these figures. If you can slam the door in the face of a potential crackers with a robust password file, you have sealed most of the major avenues of attack immediately.