Shifted Passwords

Does it make sense to require capital letters in passwords?

On a standard US-English keyboard there are 47 characters that can be entered without using the Shift or Caps-Lock keys:

a-z 0-9 `-=[]\;',./

There are 47 more that can be entered with the Shift key:

A-Z ~!@$%^&*()_+{}|:"<>?#

…for a total of 94.

Many websites have password rules that require, for example, at least one capital letter, or one symbol, or a digit. You may also be tempted to capitalize some letters in your own passwords. Does this make sense? Let’s look at some examples.

8 Letters and One Capital

Let’s say the rule is “at least 8 letters and 1 must be a capital” and let’s assume the user does the bare minimum and chooses 8 random letters and capitalizes just one of them.

With 8 lower case letters there are $$ 26^8=2.088{\times 10^{11}}$$ possibilities. If exactly one of them is a capital there are $$8\cdot(26^8)=1.671{\times 10^{12}}$$ If instead we choose 9 lower-case letters then there are $$26^9=5.43{\times 10^{12}}$$ In each case we have 9 keystrokes (including the Shift) but the second option is better.

Mix of Upper and Lower

Okay, let’s say at least one lower and one upper and assume the user chooses at random, that gives $$52^8-2\cdot26^8=5.304{\times 10^{13}}$$ possibilities (the subtraction because all-lower-case and all-upper-case are disallowed). The exact number of keystrokes depends on how many runs of lower-case and upper-case we have, and thus how often we have to press or release the Shift key, but I am going to assert without evidence that every shifted character costs 2 keystrokes since it’s either a hold-press-release cycle or it’s a longer hold cycle and in either case it’s more awkward to type the shifted character with one hand.

Thus we have at least 9 and up to 15 keystroke-equivalents or an average of 12. How many possibilities do we have if we enter 12 lower-case-only characters? Well, $$26^{12}=9.543{\times 10^{16}}$$ which is three orders of magnitude better.

So how many lower case do we need for at least the same number of possibilities? $$\lceil{log_{26} 5.304{\times 10^{13}}}\rceil=10$$ So 10 lower-case letters is better than 8 mixed-case letters and is usually fewer keystrokes.

Longer With Symbols and Digits

What if we extend this to 16 random shifted and unshifted characters (so we have upper and lower case, digits, and symbols, but no spaces), without disallowing all-shifted or all-unshifted? That’s $$94^{16}=3.715×10^{31}$$ and an average of 24 keystroke-equivalents. So how many unshifted for at least the same possibilities? $$\lceil log_{47}(3.715×10^{31})\rceil=19$$ So again, fewer effective keystrokes for slightly better passwords.

So length is better.

The General Case

Let’s define:

• C size of the unshifted character set (e.g. for letters, 26, for the keyboard above, 47)
• (And thus 2C is the size of the character set including both shifted and unshifted characters)
• S length of password using both shifted and unshifted characters
• U length of password using only unshifted characters

The number of permutations for the shifted character set is $$(2C)^S=2^S\cdot C^S$$ and for the unshifted character set $$C^U$$ Given a password with mixed shift of length S we are looking for the minimum length of an unshifted password U such that $$C^U \ge 2^S\cdot C^S$$

Dividing both sides gives $$C^{U-S}\ge2^S$$ take the log to the base C of both sides to get $$U-S \ge log_C(2^S)$$ and finally move S to get $$U \ge log_C(2^S)+S$$ so that the minimum length U required is $$\lceil log_C(2^S)+S \rceil$$

Plugging some numbers in gives us a table of how long an unshifted password needs to be to be at least as strong as a shifted password of a given length:

See also

• Reasons to Avoid Google's Advanced Protection Program
• Opinions on Generating Problematic Passwords