How many seconds would it take to break your password?

[ShyWriter]

.

How many seconds would it take to break your password?

'Strong' isn't a detailed password-rating; go for a quintillions possible combos, then add a symbol

By Kevin Fogarty

June 07, 2012, 8:00 PM

flick/

allaboutgeorge

Security breaches of mind-numbing size like those at LinkedIn and EHarmony.com set crypto- and security geeks to chattering about weak passwords and lazy users and the importance of non-alphanumeric characters to security.

But you've never met any non-alphanumeric characters. Sure, you befriended a couple of street people who were a little off kilter when you were in college, and there was that hottie in a Provincetown bar that wasn't what he/she appeared to be at first. They qualified as characters, but denying them alphanumericity is pretty harsh.

[ Stupid security mistakes: Things you missed while doing the hard stuff ]

And insisting on a particular number of characters in a password is just pointless security-fetish control freakishness, right?

Nope. The number and type of characters make a big difference.

How big? Adding a symbol eliminates the possibility of a straight dictionary attack (using, literally, words from a dictionary. Adding a symbol, especially an unusual one, makes it much harder to crack even using rainbow tables (collections of alphanumeric combinations, only some of which include symbols).

How big a difference to length and character make?

Look below and pick which password-cracking jobs you'd want to take on if you were a computer. The examples come from the Interactive Brute Force Password Search Space Calculator: at GRC.com, the love child of from former InfoWorld columnist and freeware contributor Steve Gibson

How long would it take to crack my password: (Includes letters and numbers, no upper- or lower-case and no symbols)

6 characters: 2.25 billion possible combinations

• Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
  
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 0.0224 seconds
  
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0000224 seconds
  

10 characters: 3.76 quadrillion possible combinations

• Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
  
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 10.45 hours
  
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 37.61 seconds.
  

Add a symbol, make the crack several orders of magnitude more difficult:

6 characters: 7.6 trillion possible combinations

• Cracking online using web app hitting a target site with one thousand guesses per second: 2.4 centuries.
  
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 1.26 minutes
  
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0756 seconds
  

10 characters: Possible combinations: 171.3 sextillion (171,269,557,687,901,638,419; 1.71 x 1020)

• Cracking online using web app hitting a target site with one thousand guesses per second: 54.46 million centuries.
  
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second) 54.46 years
  
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 2.83 weeks.
  

Take Steve's (Gisbson) advice: go for 10 characters, then add a symbol.

SOURCE: http://www.itworld.c...ack-my-password

Steve

[Eagleeye]

Quite an interesting article, Steve. The one downside I've encountered is there are a number of websites which will not permit the use of special characters in any password you create.

Regards,

[Guest Seagull]

Very nice article. I have got into the habit of having insanely long and complicated passwords and its a good habit to get into.

The very reason why peoples online accounts get hacked all the time is due to the lack of strength and thought they put into there passwords.

I know people that had there passwords named after there pet, and it would be a easy name that could be easily guessed and I would just do a *facepalm*.

[ShyWriter]

Quite an interesting article, Steve. The one downside I've encountered is there are a number of websites which will not permit the use of special characters in any password you create.

Regards,

You are quite correct EE .. I myself had forgotten that there are quite a few sites that don't allow special characters, blanks, etc, in the UserName *or* PassWord fields. It's a shame too as that would eliminate brute-force dictionary attacks among other things. EagleEye; a very pertinent nom de'plume..

Cheers,

Steve

[GT500]

I hate to say it Steve, but that article appears to be lacking some critical information. A popular method of cracking passwords today is the "dictionary attack", which is where they take a rather large text file full of words, names, etc. (including common misspellings and spellings with numbers and symbols substituted for letters) and they run a program that tries combinations of those 'words' until it figures out your password.

The most secure passwords tend to be random combinations of numbers, letters, and symbols that are at least 20 characters in length. Of course, you are never going to remember passwords like that, so you also have to have a secure place to store them.