How to Calculate Password Keyspace for Single Character Keys

From the National Institute of Standards and Technology (NIST) special publication 800-118 “Guide to Enterprise Password Management(draft)”, in section 3.2.3 Password Strength, defines the Keyspace as the “total number of possible values that a key, such as a password can have.”

So, the password keyspace is the total number of possible characters that a password could have. A component of keyspace used in common passwords is the ‘Character Set’ used to make up the key.

Character Set and Password Strength

A character set could contain all numbers, all lower case letters, all upper case, both lower and upper case letters. When the size of the character set used to pick a password is increased to include all letters, numbers and special characters the resulting password, becomes much hard to guess.

Example of the Single Character Password

So, to use a very simple example, a password that contains a single number, could be satisfied by any one of the numbers zero to nine (0-9) . Therefore, the keyspace of a single number password is 10.

For special characters, (for example the ten characters found by [SHIFT] + Numbers 0-9 on the typical keyboard), the keyspace is also 10.  These special characters are:

  1. !
  2. @
  3. #
  4. $
  5. %
  6. ^
  7. &
  8. *
  9. (
  10. )

As an educational example, let us continue using an imaginary single character password.

Here is a listing of single character keyspace calculations.

It is worth noting that for single character keys, the size of the character set equals the keyspace.

  1. Single Number (10)
  2. Single Upper Case Letter (26)
  3. Single Lower Case Letter (26)
  4. Number or Lower Case (36)
  5. Number or Upper Case (36)
  6. Any Case Letter (52)
  7. Any Case Letter or Number (62)
  8. Any Case Letter or Number or 10 Most Common Special Characters (72)

NIST calculates, in table 3-1 of the above mentioned publication, the keyspaces of various password lengths under different character set sizes.

Length of password	Character set	keyspace
------------------	-------------	----------
4	  		10 		    10000
4 			72  		 30000000

Very secure systems would require password lengths much higher. For passwords with lengths of 16 characters:

Length of password	Character set	keyspace
------------------	-------------	----------
16			10		10,000,000,000,000,000

16			72		500,000,000,000,000,000,000,000,000,000

Conclusion: Increasing the size of the character set dramatically improves keyspace. As a result, the recommendation practice is to use larger character sets when selecting passwords.

Also, mentioned in the NIST publication, the ideal password selected would result from each character being equally likely to be selected. Human selected passwords tend not to do this, as such, an automated method of randomly selecting characters, which equally weighs all characters would result in higher quality passwords.

A randomly generated password could be created here: Random Password Generation tool .