Reader Dave Pullin wrote: Sir, Your math is a little off. Actually completely wrong. The number of passwords of length N from an alphabet of A characters is A to the power of N, (A^N) so the key space is A^1 + A^2 ... A^N it is not 1^A + 2^A ... n^A as you say in your article. By your equation a password of length 1 from the 62 letters and digit has only one possible value (it's obviously 62), whereas you say a Reader Dave Pullin wrote:Sir,Your math is a little off. Actually completely wrong.The number of passwords of length N from an alphabet of A characters is A to the power of N, (A^N) so the key space is A^1 + A^2 … A^N it is not 1^A + 2^A … n^A as you say in your article. By your equation a password of length 1 from the 62 letters and digit has only one possible value (it’s obviously 62), whereas you say a password of length 2 would have 62+2^62, = 4 trillion trillion, combinations which would make a 2 character password fairly secure.Dave My reply:Dave,Thanks for writing. You are correct. Can I say that I was just checking to see if readers were paying attention? (grin)My article says: “…in Windows, a log-on password can use almost any Unicode character, of which there are 65,536, and passwords can be as long as 127 characters. The effective keyspace, then, is 1^64,000 + 2^64,000+ … 127^64,000. “And further, thanks for ignoring me and my editor’s error of converting my equations from 65,536 to 64,000.On a related note, I had sent my math to multiple crypto experts for review, including Bruce Schneier, CTO of Counterpane and several books on crypto. He had sent back “corrected” math that didn’t’ work either, because he assumed that the password had to be =N length, which is a common assumption when dealing with fixed length cryptographic keys or hashes. Variable length passwords follow the math you stated above (and which I mistakenly reversed). The math becomes harder to figure out if we say that a password must have a min. length, say N=14, but can be bigger up to N=127. Then the math becomes 65536^14+65536^15…65536^127.Thanks for bringing this to my attention. It reminds me that crypto, like electricity, shouldn’t be a hobby.Roger Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe