Keeping password length secret
Note that these are only some rough calculations based on a set of strong assumptions I made at 1am. The same is not going to hold for techniques other than brute force.
I was recently having a discussion about password inputs! Most password fields out there mask their characters, i.e. they display "********" instead of "password". However, in some project I was involved there was a requirement to mask the input such that it would always display a static number of masked characters. I thought that would be quite unintuitive and questioned the benefit of it. But apparently, there are also some well-known applications that are doing this. This made me wonder how much easier it would be to guess a password if you already knew its length.
Let's assume a very basic brute force approach. Let be the ratio of possible passwords you can eliminate from your search, with being the password length and being the number of possible characters.
Now, if we assume that (notice that is strictly decreasing in ):
One interesting observation here is the following: even if your password was infinitely long, an attacker would still get some benefit from knowing the length of your password, the benefit of which at this point only depends on the number of characters that are allowed.
In practice, we can almost always assume that (26 lower-case, 26 upper-case, 10 digit characters), which gives us the following bounds:
i.e. even in the worst-case scenario, an attacker would only have approx. 1.63% fewer options to try.