How can i calculate the number of possible passwords?

To get the number of permutations, multiply the number of possibilities at each position:

26x10x26x10x26x10x26 = 456,976,000


I would like to mention on top of the other answer(s) in regards to the weakness of this particular system, a password reset feature is only for temporary passwords. The password could be reset because a user forgot it or has been locked out of the system.

Since the user requests that the password reset, with some other form of validation of account ownership like email address, the password should only be active for around 5 minutes or less. If the password reset is implemented securely, it may lock the account after 10 attempts to deter brute force at the time of password reset. However, this attack is probably unlikely to happen with the small time constraint.

If an attacker gets ahold of the encrypted database passwords, then they may be able to bruteforce the table of temporary passwords to try and log in before the user is able to. In this case, having a small password is a weakness but they probably have other weaknesses as well.


If you know someone has a 1-digit password, chosen by a common die roll, then you know that there are 6 possible passwords. If someone rolls a die twice, you know it can be 1-6 for both positions 1 and 2, so 6*6 = 36 possible passwords. You keep multiplying by itself, or raising to a higher exponent, every time you add a digit.

A password of letters (uppercase 26 and lowercase 26 possibilities) and digits (10 possibilities) is therefore 62^length, for example 62^6 for a 6-character password, or 57 billion possibilities.

If you have a fixed format, you just multiply the possibilities for each position, just like we did with regular passwords. If the format is something like A0a0a0A, then the options are:

UC   #    low  #    low  #    UC
26 * 10 * 26 * 10 * 26 * 10 * 26 = 457 million

How strong is this? It depends how fast you can crack the password. If you have something like an MD5 hash of the password (e.g. if the database was hacked), you can try a few billion attempts per second with standard software and commodity hardware. If you do not have the hash, so instead you can only try to log in on a website, then you might get around 10 attempts per second (or 2 per second, or 500, depending on circumstances, but nothing close to a billion).

If my password can be 1, 2, 3, 4, 5 or 6, then on average, after 3 guesses you will have guessed correctly. Same here: if you have 457 million possible passwords and you can do 10 attempts per second, and there are 2 626 560 seconds per month, it would take about 9 months on average. In the worst case (if you are unlucky and you guess it on the last attempt), it would take 1.5 years. If you get very lucky, you could guess correctly on the first try and crack it in 0.1 seconds, but the odds of that are one in 457 million!

Tags:

Brute Force