Forgot your password?
typodupeerror
Encryption Security IT

How Many Seconds Would It Take To Crack Your Password? 454

Posted by samzenpus
from the guessing-game dept.
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
This discussion has been archived. No new comments can be posted.

How Many Seconds Would It Take To Crack Your Password?

Comments Filter:
  • Huh. (Score:5, Funny)

    by Anonymous Coward on Friday June 08, 2012 @08:07AM (#40255299)

    I wonder if he's caching every string entered into a dictionary file...

    • Re:Huh. (Score:4, Insightful)

      by jonadab (583620) on Friday June 08, 2012 @08:56AM (#40255747) Homepage Journal
      You don't ask about your actual password. You check one that's similarly complex.

      However, I noticed that he's not *checking* a dictionary file when evaluating password strength. The actual strength of a password like "spastic-elongated-kremlinitude" is pretty good, but his checker's figure of four hundred thousand trillion trillion centuries to crack with a high-end cluster is optimistic beyond the bounds of all reason. That would be naively building it up character by character, and *nobody* does naive character-by-character brute forcing for passwords that long. That's like building a skyscraper without power tools.
    • by DrXym (126579)
      I bet that every time news comes out of a password list that many people reach for the nearest online MD5sum / SHA1sum calculator so they can search the list to see if their password is on there. Of course now their password, however strong it was before is now is worthless since they've just given it to some random website which for anyone knows is run by a malicious operator or could be hacked in its own right. Similarly, if you found some rainbow table sight and typed in your hash and it was not discover
  • Ha! (Score:5, Funny)

    by 2.7182 (819680) on Friday June 08, 2012 @08:07AM (#40255303)
    That's silly. I just use my SS#. That has a LOT of digits. Who is going to guess that?
  • Link (Score:3, Informative)

    by Anonymous Coward on Friday June 08, 2012 @08:10AM (#40255319)

    https://www.grc.com/haystack.htm

  • Whenever somebody mentions GRC I get a craving for cookies. Syncookies, to be precise..

  • Websites (Score:5, Interesting)

    by SJHillman (1966756) on Friday June 08, 2012 @08:11AM (#40255331)

    There's still websites out there that limit you to 8 characters maximum. When Citi held my student loans (studentloans.com), their website would just use the first 8 characters of whatever password you entered.... of course, the field would accept more and they wouldn't tell you this so the first time you went to log in, it was a very WTF moment because you'd get a Password Incorrect error even though the password matched the one you signed up with. It was one of the main reasons I was actually happy when they sold my loan to Sallie Mae six months ago.

  • by tgatliff (311583) on Friday June 08, 2012 @08:12AM (#40255337)

    Anytime I read articles like this, I just assume someone is trying to see something...

    The best way to limit an attack like this is to limit how fast the attempts can be made. Rerun his "test" when the server only allows one password submit ever 10 seconds and see how long it takes. More secure you say?? Well, after 5 bad attempts, lock the account for 30 minutes?? Please, however, never lock the account entirely like SOME companies do. That makes a script kiddies actions my problem...

    Good passwords can never stop common sense computing procedures...

    • I used to belong to a credit union that was great... except for their web interface. It would lock me out completely after three failed attempts and I'd have to drive to their closest branch (40 minutes away) and wait in line for someone (not a teller) to unlock it. Horrible system. It got worse when I tried adding them to Mint.com, which caused it to lock me out for no discernible reason.

      • by darjen (879890)

        This is the reason I don't use my credit union as my primary account. As much as I like supporting the smaller local financiers, their web interface is not up to snuff. And I cannot add them to Mint because they use a two-tier authentication system where you have to type an additional password displayed on the screen (not even a captcha, just a number displayed as text). It is important to me to have the ability of keeping track of my finances via Mint.com. I put everything on my debit card so I can track m

    • by zill (1690130) on Friday June 08, 2012 @08:31AM (#40255535)
      All that is useless when the server gets compromised and the username/hashed password list gets sold to the highest bidder.
    • by jamesh (87723)

      Hell yes. The summary is so stupid i'm not going even bother reading the article. It might make sense to say password X takes 42 times longer to crack than password Y, but to put a real time against the cracking attempt only makes sense if the cracker has access to the hash of your password, in which case you have already lost.

      That said, account lockouts and login delays only make sense for a targeted attack. For a widespread brute force attack it doesn't matter - you can saturate your pipeline and still on

  • by Bananatree3 (872975) on Friday June 08, 2012 @08:12AM (#40255339)
    Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....
    • by Anonymous Coward on Friday June 08, 2012 @08:18AM (#40255405)

      That's why you enter something lexically similar to it and not the actual password.
      If your /. password is 3 mid-length words and the number 54 added to it, you type in that many letters and the number 11.

      Got "trillion trillions centuries" here :)
      Which really means "lasts until some idiot stores it as plain text."

    • by jamesh (87723)

      Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....

      I've always wondered... do those facebook/google/linkedin/twitter links on the page allow them to determine your facebook account name if you are logged in?

  • I use binary for passwords, thus my password is 168 character long, only down side is it only has 10 digits!

    0111100101101111011101010010000001101
    text in the middle
    0010110111001110011011001010110111001
    text in the middle
    1100110 11010010111010001101001011101
    text in the middle
    100110010100100000011000110110110001
    text in the middle
    1011110110010000100001

    More text because /. filter throws an error, I wonder how much more text I have to type?
    "Filter error: That's an awful long string of letters there."
    "Filter error:

  • by equex (747231) on Friday June 08, 2012 @08:13AM (#40255347) Homepage
    My password would take 8.52 hundred thousand centuries to crack in an Massive Cracking Array Scenario. Not bad. Add the fact that every password I have is different, I should be safe. An uppercase character added would take 1.41 hundred million centuries. Maybe it's time I put in an uppercase too :)
  • by Anonymous Coward

    Too bad there are still so many services that will not allow special characters in a password during registration. I have to juggle 4 different types of passwords because of this retarded limitation. If you operate such a site/service, please fix it.

  • Sure, if you have some unknown password, and your brute strength computer can get a yes/no answer to each guess just as quickly as the guesses can be generated, then most passwords are shockingly insecure and can be cracked in fractions of a second. However, in many real-world situations, each guess has some minimum time or cost associated with it, which severely limits the real-world speed of a brute strength attack. For instance, if you are trying to guess the password to a WiFi network, each attempted
  • by pev (2186) on Friday June 08, 2012 @08:20AM (#40255427) Homepage

    What a great way to generate a new wordlist...

  • MS Office CD Key (Score:5, Interesting)

    by Anonymous Coward on Friday June 08, 2012 @08:22AM (#40255445)

    I worked on a random desktop rollout contract that was paying stupid amounts of money, and one evening I observed one of my fellow contractors entering his password.

    clickity clickity clickity clickity...

    I said "wow... hardcore password", he replied "yeah, I worked on a contract before this where we had to manually put in the MS Office CD Key across a few hundred desktops, so I've memorised it. It's now my go-to password"

    Must have been the only time I've seen an MS CD-Key actually being wanted.

    Pasting the first CD Key I could find on serials.ws (V4933-88FR7-9P3KK-D2QF4-9M9CM) into the GRC tool produced:

    Online Attack Scenario:
    (Assuming one thousand guesses per second) 68.45 thousand trillion trillion trillion centuries

    Offline Fast Attack Scenario:
    (Assuming one hundred billion guesses per second) 6.84 hundred million trillion trillion centuries

    Massive Cracking Array Scenario:
    (Assuming one hundred trillion guesses per second) 6.84 hundred thousand trillion trillion centuries

    Anyway, in actual practice: passphrases using 2-3 words. I've found that 4 words and above is a bit much. And writing down your password/passphrase on a post-it is not a bad thing so long as your obfuscate it!

  • Soon we will see an article about how many hard passwords in recently leaked databases were "cracked" using this little test because users were gullible enough to test their real passwords...
  • by VorpalRodent (964940) on Friday June 08, 2012 @08:26AM (#40255481)

    I checked my password, and found that it will take 25.76 million trillion centuries. Hooray - no one that's never read XKCD will ever guess my password.

    Obligatory: http://xkcd.com/936/ [xkcd.com]

  • President Skroob: 1-2-3-4-5?
    Colonel Sandurz: Yes!
    President Skroob: That's amazing. I've got the same combination on my luggage.
  • The one for my email - trillions of years. Dumb sites emailing me my own private data means it needs to be secure.

    Slashdot, football forums, BBC - minutes. I honestly don't give a shit about these sites.

    Random websites that force you to sign up in order to download a crappy wav file - I'll just tell you, just to save you the hassle. username = no@example.com, password is nonononono.

    My banking password? Minutes. Why? Because passwords are shite and obsolete. I use extra forms of authentication on banking web
    • by kiehlster (844523)
      I and many of my friends send that junk to bob@aol.com. I don't know who he is, but he's got to have the largest database of generic passwords in the world.
    • The one for my email - trillions of years. Dumb sites emailing me my own private data means it needs to be secure.

      Having a locked mailbox to prevent anyone from reading your postcards might be considered a false sense of security. Not that the lock is a bad idea, it's just that something else that's also important may have been overlooked.

  • Q:So, from the answer above, that means that our passwords should always contain at least one of each type of character?

    A:Yes, that's exactly what it means. Take, for example, the very weak password “news.” If another lowercase character was added to it (for example to form “newsy”), the total password search space is increased by 26 times. But if, instead, an exclamation point was added, (making it “news!”), the total search space is increased by a whopping 1,530 times! That's how important it is to choose passwords having at least one of every type of character. If anyone ever does try to crack your password, you will have eliminated all shorter searches.

    Funny thing is, almost every example I've seen of how to increase the complexity of your password uses the example of putting an exclamation mark or a 1 on the end. Based on what I know about people, that's exactly what they'll do, which doesn't increase the search space by as much as the author thinks, and might even convince the user to use a shorter password with a ! on the end of it, which is worse.

  • Post-it (Score:5, Funny)

    by jmccue (834797) on Friday June 08, 2012 @08:45AM (#40255647) Homepage
    Well I entered in "Go to my office and look at the post-it on my terminal" and it said that will take "4.97 hundred billion trillion trillion trillion trillion trillion trillion centuries"
  • Trillions of centuries online, 65.90 thousand centuries with the Massive Cracking Array Scenario, and yet somehow I don't want to use it.
  • by jimicus (737525) on Friday June 08, 2012 @08:56AM (#40255745)

    I wrote a nice long reply rebutting every single point then lost it when I hit backspace and focus was in the wrong part of the window. Grrr.

    The author gets lots of things confused:

      - He seems unaware that a rainbow table is equally effective against a good password as a bad one.
      - He seems to think a dictionary attack comprises wholly and exclusively of words taken from a dictionary with no added numbers, symbols or punctuation. Bruce Schneier doesn't seem to agree with this [schneier.com], and I'm far more inclined to believe Mr. Schneier.
      - He believes that a likely avenue for attack is constantly guessing a given user's password on a website. Any half-sane web service will block you long before you've tried a few thousand passwords against one username.
      - He fails to note that in the case of LinkedIn, the list of password hashes itself was leaked - and this is Bad News.
      - He also fails to note that in the case of LinkedIn, the password hashes were unsalted - Much Worse News.
      - He also fails to note that if an unsalted list of password hashes is leaked, then it doesn't really matter how strong your password is, it's going to get found rather quickly. There's very little you or I can do about this. You could refuse to use systems that have such terrible security, but usually you only learn their security is this bad when it's far too late.
      - He tops it off by recommending 10 character passwords with symbols and/or numbers. In other words, he falls foul of the problem described by Randall Munroe in XKCD [xkcd.com] some time ago.

    • by MasterOfGoingFaster (922862) on Friday June 08, 2012 @09:52AM (#40256351) Homepage

      In his podcast, Steve clearly knows these things. He collected a number of "hacker" tools and studied them before he wrote haystack. I have not looked at his code, so I can't say what he build. But I recall that he said this was a very basic tool that ran on the local machine using Javascript.

      I've had users enter their old passwords and they are universally shocked. It's a pretty good teaching tool for your average office worker.

    • by Srin Tuar (147269) <zeroday26@yahoo.com> on Friday June 08, 2012 @10:59AM (#40257367)

      >then it doesn't really matter how strong your password is

      Well, thats not quite true. A password with 128 bits of entropy is still going to be strong even when hashed unsalted.

      Leaked hash material is really only helpful for finding poor passwords via one of the brute force methods. Lack of salts, or poor salting, is only helpful for rainbow table or rainbow dictionary type attacks.

      Choosing a good password will still help you. The only problem is websites that do one of the various bad behaviors:
      * forcing an capital or digit reduces entropy
      * limititng the max length reduces entropy.

  • Rainbow tables and Brute force could not do it in a reasonable amount of time. But this was a couple of years ago on a old decomissioned server with only 8 Xeon processors. 1 week later and still nothing.

  • by redelm (54142) on Friday June 08, 2012 @09:09AM (#40255863) Homepage

    Very nice, MD5 hashes can be cracked quickly in massive parallel on GPU hardware. This only matters after the hashes have already been stolen.

    Actual security should be more systemic -- the cost of a wrong guess is more than a nanosecond of GPU. There are at least network delays, and in many cases lockouts. The latter make random guessing too costly/slow, especially progressive systems that allow 5 wrongs immediately, 10 in an hour, 20 in a day, and lock hard (manual intervention) above that.

    My father had one of the early ATM cards but had me operate the machinery. It had an 8 digit assigned PIN, but dropped quickly to 4 when it was realized the 8 were hard to remember, and swallowing the card after 3 wrong guesses was more than adequate.

  • Web delay? (Score:4, Informative)

    by Grizzley9 (1407005) on Friday June 08, 2012 @09:37AM (#40256151)
    I'm not a programmer so this may be a dumb question, but do cracking programs somehow go around the normal web interfaces we all usually have to use? Because many that I use only allow a certain number of tries or the refresh time after each unsuccessful attempt is not instant. Sure if you put the program in a standalone it could do the cracking fairly quickly but that's not always real world is it unless you have some direct access to the server?
  • Wait, what? (Score:5, Insightful)

    by glwtta (532858) on Friday June 08, 2012 @10:27AM (#40256829) Homepage
    with almost unlimited computing power for brute-forcing the decryptt: 6 alphanumeric characters takes 0.0000224 seconds

    With "almost unlimited" computing power any password will almost take "almost no time" to decrypt.
  • by xrayspx (13127) on Friday June 08, 2012 @10:48AM (#40257167) Homepage
    I have to wonder why anyone listens to Steve Gibson about anything, ever. He goes back a long way, making sweeping claims about things he kind of understands based on research done by actual security professionals. Has he gotten better at things in the last decade or so? He always had a tendency to hear something, run off on a tangent creating press releases and small tools, and then get shouted down by the security community at large. Examples including who did the heavy lifting: Raw Sockets (l0pht/@stake IIRC [and whoever the initial researcher was, they did NOT spin it as the apocalypse, as Gibson did), WMF (Ilfak Guilfanov), SYN Cookies (djb), DNS (Dan Kaminsky), and this article right here.

    Slashdot always seems to be his willing dupe and publicizes whatever he is concerned with at the moment.

Adding manpower to a late software project makes it later. -- F. Brooks, "The Mythical Man-Month"

Working...