Effective CISSP Questions

Your company requires that passwords can not be cracked in one year with a brute force attack. You are implementing a password policy by specifying valid characters, as shown in the regular expression, /[a-zA-Z0-9!$]/. If it takes 4 hours to crack passwords with a length of 7 characters, what is the minimum password length to meet your company’s password requirement?
A. Seven characters
B. Eight characters
C. Nine characters
D. Ten characters

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Nine characters.

Regular Expression: [a-zA-Z0-9!$]

There 64 symbols expressed in this regular expression:

  • a-z: from a to z, 26 symbols
  • A-Z: from A to Z, 26 symbols
  • 0-9: from 0 to 9, 10 symbols
  • ! and $: 2 symbols


64-symbol is a 64 base system. That is, one character has 64^1 combinations, two for 64^2, and so forth.

8-character is 64 times as more as 7-character. (64^8 / 64^7). Since 7-character takes 4 hours to crack, 8-character will take 256 hours (4 * 64).

9-character is 64 times as more as 8-character. (64^9 / 64^8), so 9-character will take 16384 hours (256 * 64). As one year has 8760 hours, 16384 hours meet the company requirement.

Password Policy

As Chaudhary said:

This is the reason most of companies enforce 8 character password and force users to change their password in 90 days. It means, if someone try to break 8 character password in 90 days than it will be hard to break it by brute Force.

Password Policy


Leave a Reply