So Much for that “Strong” Password
These days the average PC is pretty powerful and capable of amazing things. But with great power comes great responsibility (sorry had to use that…). What I am getting at is the fact that for a while now the average PC is a lot more powerful than most users will ever utilize. Sure us geeks are always upgrading and speeding up our machines, often because we can. But I am not sure that we actually need to.
To that end the average computer these days is comparable to what would have once been considered a “super computer” and can do things in a very short space of time. That includes cracking passwords.
With that in mind it also means that what you once considered quite a strong password now is anything but. The reason being, that the super computer that your reading this post with is quite capable of cracking a 9 character randomly generated password of upper and lower case letters and numbers in less time than it took you to listen to the latest AGP.
It gets better (or worse depending if you use your dogs name for a password at every service your signed up to). Consider this:
“Your password is 9 characters long and has 308,915,776,000 combinations.
It takes 1.12 hours or 0.05 days to crack your password on computer that tries 137,438,953,472 passwords per hour. This is based on a typical PC processor in 2008 and that the processor is under 10% load.”
So right now I have 59 processes running on my PC and I have between 1 and 5% CPU usage happening. This computer, even with numerous applications running and working could very easily crack that password and your dogs name in a heartbeat.
So what is the answer? 2 characters. That’s right the addition of 2 special characters. Adding just one takes that processing time up to about 35 hours. That is long enough hat someone might still be willing to put the time in. Add 2 and you take it up to 1,150 hours, which is over a month. They might want to play WoW before that so you might be in luck.
Get a bit more serious about making your passwords stronger by adding in 2 random alpha numeric characters and you give yourself 423,686.55 days. Which is over a thousand years. That’s better right? Now change that password every few days and you might even keep most people busy. But I won’t be doing that, I am not quite that paranoid.
I am no security expert but after the discovery that the passwords I thought were pretty good for average use (as opposed to banking or data security, which should be stronger) are actually crap I looked at ways to make them better. Just a wake up call that the average PC is quite capable of ruining your day and your bank account. Perhaps the dogs name might not be such a great idea.
As you guys know I use RoboForm to manage my passwords so having more complex ones is not a problem. I am going to change my password generator to include those special characters. Sure it is not perfect but feels a lot better knowing that the average high school kid might not bother with it once they find out that they will be dead by the time they crack it. I don’t care about the government, if they want in they get it and they probably don’t even need the password.
In writing this post I used a cool web based tool called Hackosis: Brute Force Calculator which can test how long it would take to brute force a password given the number and types of characters that the password is made up of. Go and check out your passwords and see how they measure up in this day and age.
Source: PHP: Brute Force Calculator v1.1
Hackers: Please don’t hack the web site again, this is not an invitation. Plus we changed the passwords for everything to something the length of War and Peace with alphas… just a small request. Thanks
"I Want To Be a Celebrity"
Buy at 
Scary considering the bank I use limits you to 3 letters followed by 3 numbers. They have a mouse interface to enter the password rather than typing it, and you would still have to know my 8 digit customer number too, but still.
But what kind of passwords are we taking about?
If this is a winrar password, maybe so but as for the passwords to email accounts or internet banking, it’s completely different.
I’m assuming that every randomly generated password has to be tested with the system to check if it is correct, right?
Smart web accounts block your login for 15 minutes if you type incorrect passwords a certain number of times in a row within a short period of time. Therefore, the time it takes is X hours PLUS (15 minutes TIMES every 5th failed attempt) PLUS network delays. Not to mention that it should altert the admin that there’s some strange activity with your account.
Am I wrong on this one?
@Raf - No your right, in part
I work for a bank and our login system for internet banking uses the old 3 strikes and your out method.
So given our required password complexity this equates to a probability of 3,960,458:1 that the password would be correct on any single attempt.
However we also provide RSA encrypted token login support as well, so that brings another 1,000,000 or so combinations into play.
This means that the overall probability is more like 3960480000000:1
that any 1 combination of correct password AND correct token authentication is right at any one attempt.
The above calculations only equate the password and token combination though, the user id is also a consideration, this then brings the probability to 3.564432 × 10^13:1.
Find me a computer that can calculate out a correct permutation with a probability that high within 3 attempts using standard elimination (ie if condition 1 is not true, and condition 2 is not true, then condition 3 must be true) and I’ll eat my hat.
Where you are slightly wrong there Raf is that usually only banks and corporations have those types of password systems, websites like Twitter, Digg and all the other Web 2.0 sites don’t care about the number of attempts made.
The only impact that a website would notice is that their login page would almost grind to a halt during a brute force attack and the amount of traffic generated for a single range of IP addresses would be astronomical.
Hell even with a 15 minute lockout it is possible given enough time to have a password of normal complexity brute forced.
Ah, that’s true. Hadn’t considered what happened if you entered it incorrectly. Guessing it correctly in three goes makes it much harder to crack! And then to transfer more than $500 I need a token as well, so I guess my money is reasonably safe.