1Password - Intelligent password same pattern and length

Hey Former Member and @ag_yaron,

Cracking randomly generated passwords is all about time, specifically the time it would take to try every possible value. Lucky for us we can calculate how long it would take to crack a password through brute force by counting all the possible passwords and dividing that number by the time it takes to crack 1 password. As I read it, your question is essentially, since there is a pattern in the generated password, does it reduce the security of the password? Let's find out.

The intelligent passwords are generated from four character sets, uppercase letters (26), lowercase letters (26), numbers (10), and a subset of symbols (6) that we have found to be safe for most sites, which is a total of 68 unique characters. For a 1-character password we have 68 possible passwords and for a 2-character password we have 68 * 68 possible passwords. Following that pattern we see that to calculate the number of passwords of length 19, we need to multiply 68 by itself 19 times (68^19), which is approximately 6.57 * 10^34.

Now, to calculate the number of passwords of length 19 that match our pattern we use a similar technique. For the first three values of our pattern we choose from only 52 characters, the total number of uppercase and lowercase letters. For the fourth value we choose from one of 16 characters, the total number of digits and safe symbols. So for a password of length 4 we would multiply 52 * 52 * 52 * 16 to get the number of possible passwords. Following this pattern, our 19 character password would end up with 15 letters and 4 numbers/symbols so to calculate the total number of passwords we would multiply 52 by itself 15 times (52^15), multiply 16 by itself 4 (16^4) times, and then multiply those two numbers. This comes out to be approximately 3.6 * 10^30.

All we have to do now is figure out how many passwords can be cracked in a second and we can estimate the strength of our two passwords. A really good password cracking rig can bruteforce approximately 500 billion passwords each second. Let's assume our attacker has nation-state resources and has 1000 of these cracking rigs to dedicate to our password. Now, we are talking 500 trillion (5 * 10^13) passwords per second or 1.58 * 10^21 passwords per year. To crack our truly random password it would take approximately 41.6 trillion years and to crack our patterned password it would take approximately 2.28 billion years. While it would take significantly less time to crack the patterned password, it is still essentially impossible.

This is a long winded way of saying the generated password, even though it has a pattern, is still very strong but has the added convenience of matching the common password requirements for many sites.

P.S Keep in mind the password cracking speed assumes the site storing your password is using a simple hash called MD5. If the site is using a proper password hashing algorithm like scrypt, bcrypt, or Argon2, with a sane configuration, the number of hashes per second is a billions of times fewer, yes billions with a B.