Only 3 letters from my password?

Are you worried about your bank only asking for 3 characters from your password to let you into your banking?

There’s a good argument for a few tweaks there, but 3 characters is 26^3 to 1 (17576:1) against guessing (or 36^3 if alphanumeric {46656:1}) so works well in theory & practise.

If someone sees what letters you put in, the odds of them even getting 1 location to match is quite low, so the information is fairly useless.

(Implementation people: However, randomly picking which characters are used isn’t so bright. Markov Chaining means that you can easily predict some following letters – q is almost always followed by u, for example.

I recommend a line of code to ensure that the letters asked for are non-consecutive. This makes the system stronger. )

As a user, use a non-dictionary word paired with another word, as this prevents the use of software that will “solve” your word! Yes, used by crossword solvers, you can enter the known letters and it will attempt to determine the word for you. Not what you want with your password! 2 or even 3 words works well, 4 works better.

It will also make sure that the “entropy” (randomness) is kept high – 3 letters from a pool of 4 isn’t very good, 3 from 10+ is much better.

Hope this reassures you – Three letters is far stronger than your 4 digit PIN!

Leave a Comment