Strong Password with Extended ASCII Characters
There are several methods for making a strong password. Avoiding words found in a dictionary, Wikipedia, personal information, dates, patterns, sequences, lyrics, excerpts, quotations, short and common passwords, compromised passwords and variations, using a combination of upper case and lower case letters, numbers and special characters, and creating a long unique password for each account.
A lesser-known strategy for creating a strong password is to use extended ASCII characters, which are not found on the keyboard.
Defending Against Brute Force Attacks using Strong Password
If you avoid passwords that are compromised, easy to guess or discover, an intruder or hacker would have to attempt a brute force attack, by trying every possible combination. By using a larger number of potential characters in each position of the password, it takes more time to try all the possible combinations.
For example, if only lower case letters are used, a password of one character length has 26 possibilities. If upper and lower case letters are used, there are 52 possibilities. If numbers are also included, 10 more possibilities are created, for a total of 62.
Including keyboard special characters, such as symbols and punctuation, creates 95 possibilities per character to create a strong password. Special characters are
!@#$%^&*()-_=+`~[{\|}];:'”,./<>? and space.
Extended ASCII Characters using 8 Bits for Strong Password
Using 7-bit ASCII characters, 2^7 or 128 characters are possible. Only 95 are printable characters, including space, the others are control characters.
When 8-bit ASCII characters are used, there are 2^8 or 256 possible characters. Another 95 or more printable characters are available, known as extended ASCII characters. ASCII (American Standard Code for Information Interchange) is administered by ANSI (American National Standards Institute).
They include math and currency symbols, copyright and registered trademark symbols, fractions, superscript, and foreign letters with marks known as grave, acute, circumflex, tilde, diaeresis, umlaut, and cedilla. Some extended characters are
§©®¢°±¹²³¼½×÷«âéïñù¡¿»¦Ø.
Use Alt Codes to Create Extended Characters
Extended ASCII characters do not appear as keys on the keyboard. They are created by typing a series of decimal numbers known as an Alt code. For example, to create the copyright symbol ©, hold down the Alt key, then type 0169 on the numeric keypad keys, with the numeric lock on, then release the Alt key. (See character map image above)
Note: Using the number keys on the main keyboard will not work, but there are other methods to use, including cut and paste from the Character Map. Some laptops provide numeric input by holding down both the Alt key and an FN key. An external USB numeric keypad may be added.
All of the Alt code numbers may be found in the lower right corner of the Character Map when a key is selected. In Windows, open Character Map by clicking the Start button. In the search box, type Character Map. In the list of search results, click Character Map.
7-bit Versus 8-bit ASCII Characters
A sample password using 7-bit ASCII might be Cr12x! and could be made a strong password of ©r¹2X! using 8-bit ASCII. Some intruders, hackers, and password cracking software do not use 8-bit ASCII, so they would never break the password.
Adding extended ASCII characters doubles the number of possible choices in each character position of the password from 95 to 190 or more, making each character twice as strong, and taking very much longer to crack a long strong password by a brute force attack.
Each character added to the password also has at least 190 possible combinations, so a 6 character extended ASCII password has 190^6 or 47 trillion total possible combinations rather than standard ASCII with 95^6 or 735 billion.
A strong password may be created by making it longer and by including extended ASCII characters using Alt codes. A weak password uses only numbers, such as 123456. There are only 10 possible combinations for each position, so the total possible combinations would be only 10^6 or 1 million.
As computers (CPU and GPU) become faster, it becomes faster for a hacker to try every possible combination in a brute force attack. But, a long strong password would take years, decades or centuries to crack.
Some websites and systems also include blocking software as another layer of security to block out or throttle brute force login attacks after several failed login attempts.
Two-Factor Authentication (2FA), also known as multi-factor authentication (MFA) should also be used when available, especially on critical accounts. The weakest to strongest methods of 2FA include text message (not recommended), TOTP by phone voice message, TOTP by email, TOTP by 2FA app, such as Aegis, and a hardware security key, such as a YubiKey.
Test Strong Password for Compatibility
Not all devices, websites, and software will allow or support extended ASCII characters. You need to test it with your application. Also, try it on your network login password, Wi-Fi password and password protected PDF files. Check your smartphone keyboard for extended ASCII characters.
Use Alt Codes for Foreign Language Characters
It is also useful to learn how to insert extended ASCII characters into a Spanish, French or another foreign language document. Look at the Character Map on your computer to learn how to insert Alt codes for foreign language characters. You can add a desktop link to the Character Map for convenience if you use Alt codes often.
Use a Password Manager
For security, keep passwords in a password manager such as Bitwarden (replacement for outdated LastPass), or KeePassXC, using two-factor authentication. Do not write down passwords on a loose piece of paper or keep them in an unencrypted text file or spreadsheet. Do not rely on memory alone. Keep at least one backup copy of passwords in a fireproof safe and offsite for disaster backup. In the event of your death or incapacity, make sure someone you trust can gain access to your password manager or password list in your safe.
A tested backup USB YubiKey can be stored in the safe or given to a trusted person to use with Bitwarden.
Password Strength (Entropy)
Random password strength is the resistance against a brute force attack and can be estimated using entropy. Entropy is the total number of possible password combinations, using all of the supported characters.
For example, a 4-digit PIN has an entropy of 10^4, or 10,000 combinations, from 0000 to 9999. Entropy is usually expressed in binary digits, or bits. The decimal number 9999 converts to 10 0111 0000 1111, requiring 14 bits. So, it has an entropy of 14 bits, which is very weak against an unlimited attack by a computer, but is probably strong enough for a mechanical combination lock, using a random number, not using a guessable number, such as your birthday, birth year, current year, or a famous date from history, such a 1776 or 1492.
On average, a brute force attack will not need to try all possible combinations. There is a 50% chance it will crack the password by trying only half of the combinations. So, for the 4-digit PIN example, the effective entropy is reduced from 14 bits to 13 bits.
KeePassXC has a built-in random password generator and it estimates the password strength in entropy bits, using an algorithm known as zxcvbn (bottom row keyboard sequence).
For reference, federal government agencies used to use 80 bits as the minimum entropy for confidential documents, but raised it to 112 bits in 2014, when some older weaker encryption algorithms were cracked.
So, you can also use long strong random unique passwords, stored in a password manager, with a minimum entropy of 80 or 112 bits, to protect critical documents and accounts with federal strength security.
The random password generator software developed and released by the National Security Agency (NSA) uses a default setting of 160 bits, and instructions say it can be lowered by the user to a minimum of 112 bits for less secure federal documents.
I use password lengths of 16 to 32 characters, depending on my security classification of the document or type of account and the threat level. Using a round number of 5 bits per random character, a 16-character password provides 80 bits of entropy, and a 32-character password provides 160 bits of entropy. There is no beneficial reason to use random passwords longer than 32 characters.
Unfortunately for customers, there are still some websites that do not support passwords longer than 8 or 12 characters. If an alternate vendor is available, choose a new vendor that allows longer passwords for stronger account security. Let the old vendor know that they lost a customer due to weak security practices.
Higher entropy values provide extra protection and longer useful life against advancing technology with faster computers, GPUs, and quantum computers. When using a password manager, you do not need to memorize account passwords, so using high-entropy random passwords provides a form of free extra protection against brute force attacks. Criminals will crack and exploit vulnerable weaker passwords and compromised passwords first.
For crime prevention, use high-entropy random passwords for target hardening against criminal hackers. There is normally no need to change a high-entropy password, unless a compromise is known or suspected, advances in technology have weakened password security and increased the threat level, or you choose to make it longer and stronger for greater peace of mind, or your password policy.
Visit our website for Colorado Springs Mobile Notary services or Colorado Notary Training classes.
[Last-Modified Date 2023-11-18] minor edits, added entropy information
© Copyright 2016 ABC Legal Docs, LLC All rights reserved. Do not copy. Citations welcome. Terms of Use apply.
