How secure is a password that uses Chinese characters?

There is no good reason, from a technical standpoint, why passwords can't contain scripts in Chinese, Japanese, Korean, or any other language for that matter. If you are able to write in this script, then it is entirely appropriate for you to employ it in whatever endeavors you undertake.

However, if you put this theory to the test, you will discover that many websites, including well-known ones like Google, prevent you from entering a password that contains characters other than A-Z, 0-9, and common special characters.

This brings to mind the early days of the internet when certain websites forbade the use of capitalization and prohibited the use of Latin letters for no discernible reason.

Site issues with passwords including Chinese characters

Users often make use of passwords that are longer than 30 characters, include all of the various character kinds that are usually suggested, and are created at random. If you use a password manager, you should probably make the password as difficult and as lengthy as it can possibly be.

However, if you visit more than 150 websites and change your password each time, you may find that many websites have password rules that do nothing but lower their level of security rather than increase it. This is because these rules are designed to protect users from themselves.

For instance, several websites impose arbitrary restrictions on the maximum length of passwords. They will typically demand passwords with less than 20 characters, in many instances. In certain cases, you can only use a maximum of 12 characters.

Even though it makes the password less secure, certain websites require that you include a number and a special character. This is despite the fact that doing so decreases the entropy of the password. On other pages, one may be restricted to using just the Latin letters; numerals and punctuation are not allowed. On certain websites, one may use punctuation, but you have to choose it from a drop-down menu first, and characters like "&" are not permitted.

This last point ought to give you significant cause for worry. Are these websites capable of sanitizing the password before inserting it into the database? Your database should not be used to store passwords in any way. I'm curious how many times this has been the cause when we consider severe breaches of privacy. You are required to hash the password before saving it.

In any event, the end effect of all of this is that a significant number of websites still verify passwords in an erroneous manner, excluding characters that really should be fully allowed. There is no valid reason why "您未设置安保问题" can’t serve as your password.

So, how safe is such a password?

Entropy is a term used to describe both the difficulty of breaking a password and the complexity of the password itself. In the next paragraphs, we will examine how to compute the entropy of a password.

If we expand the character set to cover everything from a to Z, digits from 0 to 9, punctuation marks, and so on, then we have a pool of 90 characters. This results in an entropy per character of log2(90), which is equivalent to 6.49 bits. If, on the other hand, we expand our character pool to include all Chinese, Japanese, and Korean (CJK) characters (presuming that our character pool has 74,605 characters), then we can calculate the entropy of each character as log2 (74605) = 16.19 bits of entropy per character.

Therefore, a 7-character CJK password such as "正确的马电池钉" would give you 16.19 bits of entropy times 7, which equals 113.33 bits total. I would need a password consisting of 18 characters if I wanted to match this using Latin letters, numbers, and special characters.

The vast majority of people are Chinese-illiterate. They have decided against using any characters that include CJK in their passwords. On the other hand, the effectiveness of a complicated password is comparable to that of vaccination in that it confers herd immunity. Crackers will only conduct brute force or dictionary attacks based on the letter az if individuals only use passwords that include those letters. If people have a habit of using numbers and punctuation, it forces attackers to incorporate those elements into their vocabulary, which in turn slows down their attack. The attacker needs to try all of these additional possible combinations, regardless of whether or not your own password used any of them.

Because roughly one-third of the world's population is able to read and write CJK characters (the populations of China and Japan are enormous), if we permit people to use CJK characters in their passwords, then even if I don't use CJK characters myself, we can all benefit from the increased complexity that this provides.

To reiterate, knowledge of Chinese is not required in order to work with CJK characters. You can keep track of all of your passwords by using a password manager, as was previously suggested. It does not matter whether you are unable to read or write the password as long as the password manager is able to save it and accurately copy and paste it into the password box when it is required.

Conclusion

We’d like to remind everyone that your name, birth date, or any other identifying information should never be used as a password, regardless of the language you use.

In addition, the passwords that are established on other websites might somewhat vary from one another, which makes them easier to remember and prevents the same issue from occurring. In this scenario, it is essential to connect your mobile phone number or email address so that you may easily recover the account in the event that the mobile phone number is lost or stolen.

On the other hand, many people feel that passwords are becoming outdated and that there are now more efficient methods to handle computer security and authentication than by using passwords. Perhaps now is the moment for people to begin shifting their attention to other approaches. In the not-too-distant future, we will find out.