Password Combination Calculator
Calculating password combinations for a given set of rules can help you understand the strength of a password against brute-force attacks. This tool can help you with this task — it uses combinatorics to find how many possible passwords you can create with a given set of characters. Keep reading this article to learn:
- Why do we need long passwords (and why are they getting longer and more complex)?
- How many password combinations are possible with a given set of characters?
- How to use our number of password combinations calculator?
And much more!
What are passwords?
Passwords are a fundamental aspect of the information age: in our interconnected world, where more and more data is stored online, the protection and uniqueness of one's identity and private data is increasingly important. Passwords are a way of protecting against unwanted intrusions since early history: asking for a word to confirm one's trusted identity is as old as secrets, and the presence of passwords even in many kids' games is a confirmation of how rooted this system is in our cultures.
With computers, passwords became a much more concrete concept — and with them, attempts to illicitly bypass them and access what they protect. In the past decades, passwords and hackers have been engaged in a restless arms race that caused both to get better at their own game.
As a string of only letters, numbers, and symbols, a password is a well-defined and discrete object potentially vulnerable to brute-force attack. A brute-force attack is a mindless attempt to crack a password by pure guessing. With short passwords, this is relatively easy: a PIN code with four digits has exactly 10,000 combinations. An agent that can try a combination every second would take less than 3 hours to find the right one (and just to worry you a bit, the worst computer algorithms that can perform this task can try 10,000 combinations per second!). Clearly, we need more complexity in our passwords.
The computational power of processors keeps growing, but passwords can arbitrarily become so complex that guessing it by brute force would take time in the order of billions of years — while hackers can be patient, we're pretty sure they can't wait this long! Novel techniques involve attempting to crack more than one account at a time, using educated guesses rather than purely random ones, hoping that 12345 and password (or similar common passwords) are used by multiple accounts: since complexity clashes with our brains, this type of attacks can be surprisingly successful. We are not made to remember 16-characters long strings of randomly chosen letters, numbers, and symbols, and we tend to choose easy-to-guess non-random combinations, or we repeat complex passwords over many accounts.
Let's learn how to calculate the number of passwords before discovering more about their complexity and how to choose the best password!
Combinatorics: how to calculate the available password combinations
To calculate the number of password combinations possible for a given set of parameters, we need to dive into the field of combinatorics. This branch of math deals with various ways to combine different or identical objects. You've met the characteristic words of combinatorics many times, even in your daily experience: combinations, permutations, partitions...
When talking about passwords, we need to consider the permutations. Permutations are groups of a certain number of elements extracted from a larger set. Crucially, the ordering of the elements does matter: just as
cba are distinct passwords, so and are distinct permutations.
In mathematical terms, we would indicate permutations with the following notation:
- — The total number of items to choose from; and
- — The length of the permutation to create.
Computing permutations is relatively simple, and we can give you a neat interpretation. Let's try to answer this question: how many permutations of elements can we extract from a set of elements?
- Take an element from the bigger set. You have options; you choose one, and items are left over.
- Take a second element from the remaining options.
- Take a third element from the remaining options.
After Step 1, you'd end up with any of ten possible items. After Step 2, you'd have one pair from among possible pairs. And after Step 3, you'd have a distinct three-item set from among possible outcomes.
If this multiplication of consecutive numbers rung a bell, it's because the formula for the number of permutations uses the factorial: . It's not hard to imagine that the result of the example above comes from the division of two factorials:
The generic formula for permutation is, then:
Permutations with repetition
What would happen if, after each draw, you would put the item back in the set? The answer is repetition. Even though it may look harder than before, calculating permutations with repetition is, once again, pretty straightforward. Take the examples of before, but put back the item every time:
- At the first step, you'd have options.
- At the second step, you'd have once again options (because the option selected in Step 1 wasn't removed).
- At the third step — you guessed it, you have possibilities.
If you follow the same reasoning as before, you will find out that the number of permutations is . The mathematical formula for the number of permutations with repetition is:
You have the basics tool; let's learn how to calculate the available password combinations. This effort will involve adding a step to our reasoning.
How many password combinations are there? Combinatorics in action
To calculate how many possible combinations of your password you can find, it's best to start by defining the possible characters. Using the Latin alphabet, we can identify:
- lowercase letters; and
- uppercase letters.
To these, we can add:
- digits (from to ); and
- Some or all of symbols (like
&, and so on).
The permutation of a password always allows repetition: we will only deal with exponents! Now that we understand which formula we will use, let's define the elements that will appear there:
- — The number of possible characters; and
- — The length of the password.
The number is nothing but the sum of the numbers of the available characters. If all characters listed above are used, we would have:
This is not a small number. In the next section, you will see how quickly the number of permutations can grow. Before this, we need to calculate the password permutations when a condition of the type at least one uppercase character/number/symbol sets in. We know it's frustrating when this happens, but trust us, compared to a simple password made of only lowercase letters, this improves the safety of your accounts many times. How do we write this condition in numbers?
We take all the possible permutations, with repetitions that contain the desired type of character, and then we subtract the permutations that don't respect the condition. To do so, we use the inclusion-exclusion principle, a tool that stems from set theory. As you can imagine, for a higher number of conditions (e.g., at least one number and one uppercase letter), the groups of incorrect passwords increase in number.
This will be much easier to understand with a couple of examples. Let's say you are tasked with creating a character-long password with uppercase and lowercase letters. How many permutations with repetition can we have? The answer is . If we need to have at least one uppercase letter (and, of course, at least one lowercase letter), we need to subtract from these permutations the ones that contain only lowercase letters and those with only uppercase letters. How many of those are there? Simple: in both cases. The number of letter-long passwords and at least one uppercase letter and at least one lowercase letter is then:
You can expand this reasoning for any combination of these requirements. Let's see how in our worked example.
How many possible combinations of my password? A worked example
Let's say you need to create a password with the following requirements:
- At least one lowercase letter (the default condition).
- At least one uppercase letter.
- At least one number.
- Any of eight symbols are also allowed (but not required).
To calculate the password permutations, we need first to define how many characters we can input. Let's see. There are:
- letters ( uppercase letters and lowercase letters);
- digits; and
The total number is then:
To calculate the password combinations, we start by considering all possible passwords we can build with these characters. Let's do this for a five-letter password. We know it's not the safest one, but it will do it!
It's time to consider the passwords not allowed by our rules. There are different types of these:
- Passwords with three types of characters that don't contain lowercase letters, uppercase letters, and numbers.
- Passwords with two types of characters (they don't respect the conditions by default).
- Passwords with only a type of character.
In the calculations and the picture below, we will borrow a bit of set theory notation. Let's use the letter for lowercase letters. Seeing in the name of a set means that the passwords in that set contains lowercase letters. The letter identifies uppercase letters, numbers, and symbols.
The number of passwords contained in a set is called cardinality. We mark it with the "absolute value" notation: is the set of passwords containing exclusively uppercase letters and numbers, and it contains passwords.
To find the number of passwords that fulfill our criteria, we need to identify the corresponding members of the diagram above. In our case, we will need to isolate the members containing only uppercase and lowercase letters and numbers and the members containing uppercase letters, lowercase letters, symbols, and numbers. That is to say, we need to find the cardinalities of the sets and : this is not a straightforward task!
To find the cardinality of , we temporarily restrict our problem to a three-type password. , in this case, is the intersection of all three sets. We subtract from all the possible passwords in:
- The set containing only one type (, , and ); and
- The two-sets intersections (, , and ).
Finally, for single-type passwords, we have:
- with .
- with .
- with .
To find the cardinalities of the two-sets intersection, we use the following formulas:
, that gives us .
, that gives us .
, that gives us .
Join them in the following formula to find their intersection:
To find the cardinality of (the four-type intersection that also contains symbols), we need to expand the previous formula, including all possible contributions from the remaining two-set intersections (we find three more: , and ), the single set with only symbols allowed in the passwords (), and the four possible three-set intersections: we met before, now we introduce , , and .
The final formula for the cardinality of is:
Now we must sum the cardinalities of the set we found satisfying our conditions. You will find that the number of passwords with numbers, eight symbols, uppercase letters, and lowercase letters and at least one lowercase letter, one uppercase letter, and a number is:
More than half a billion passwords: as you can see, it's not an excessively high number. However, the length is only five characters: with eight characters, the number of allowed passwords would be . This is one of the instances where size does matter!
🙋 The bottom line is that when you need to calculate the number of passwords satisfying a certain criterion, the best strategy is to isolate all the sets contributing to the number and sum their cardinalities.
How to use our password combination calculator
What if we want to make our passwords more secure? Let's say increasing the number of required characters to eight. We can skip the math and use Omni's password combination calculator to find how many possible combinations of passwords you can see in this case. How do you do this? Follow these simple steps to learn how to use our password combination calculator.
Choose the number of character in your password.
Select if your password is case sensitive or not.
- Decide if you have to insert at least one uppercase character.
Choose if your password contains numbers.
- Decide if you want to make the presence of at least one number mandatory.
Decide if you can use symbols. In this case, you can use all of them (there are ), include only some of them, exclude only some of them, or exclude them altogether.
- Choose if the symbols must appear in your password.
You can forget how to calculate the available password combination — we'll print the result instantly.
🙋 You can also find the number of passwords for a range of lengths. Change the first variable to range, and select the two extremes. We will print the possible lengths.
After choosing the right length of your password, head to our password entropy calculator to calculate how safe it can be!
How do I calculate the number of possible passwords?
To calculate how many possible combinations of passwords are for a given set of characters, you must use the mathematics of permutations:
- Count the number of allowed characters.
- Calculate the number of the allowed characters to the power of the length of the password.
The result is the number of passwords that allow repetition. The formulas get more complex when we introduce conditions: in that case, you need to subtract the number of passwords that don't respect them.
Is a password with 16 characters secure?
A password with a length of 16 characters is generally secure. However, using regular patterns, complete words, or fewer special characters reduce the complexity and simplifies brute-force attacks. Using uppercase and lowercase letters, numbers, and eight symbols, with at least one character from each category, gives you
258,931,250,661,140,200,000,000,000,000 possible password combinations. Guessing a million passwords per second would take almost ten million years.
How many 12-character password with uppercase and lowercase letters are there?
The number of 12-character passwords with a combination of uppercase and lowercase letters is
390,686,148,572,926,840,000. To find this result:
Calculate the number of possible characters. In this case, since there are
26letters, we have
26 + 26 = 52characters.
Compute the 12th power of the number of characters:
52¹² = 390,877,006,486,250,192,896
If you need to include at least one uppercase and one lowercase letter, subtract the combinations of only lowercase and only uppercase letters:
52¹² − 26¹² − 26¹² = 390,686,148,572,926,840,000
How can I remember my passwords?
To remember your password, use the following tricks:
Use a memorable sentence: think of, for example, "correct horse battery staple".
Pick only the initials of a longer sentence.
Remove the vowels or substitute them with numbers, but don't use leetspeak: it's a common substitution.
Combine a word and a number, alternating letters, and digits.
Use your imagination, and use familiar numbers or words in unexpected ways: the date of birth of your pet, in reverse, with its name, uppercase, in between.
Are 4-digits PINs secure?
From a technical point of view, four digits PINs are not secure. With a total number of combinations of
10,000, even with repetition, a brute force attack would take mere seconds to retrieve your PIN.
However, a system that prevents multiple attempts or temporary pins makes even a short combination of numbers safe enough. Just don't use them as the password of your bank account!