Forgot your password?
Encryption Security IT

How Many Seconds Would It Take To Crack Your Password? 454

Posted by samzenpus
from the guessing-game dept.
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
This discussion has been archived. No new comments can be posted.

How Many Seconds Would It Take To Crack Your Password?

Comments Filter:
  • Link (Score:3, Informative)

    by Anonymous Coward on Friday June 08, 2012 @08:10AM (#40255319)

  • by Anonymous Coward on Friday June 08, 2012 @08:14AM (#40255359)

    Too bad there are still so many services that will not allow special characters in a password during registration. I have to juggle 4 different types of passwords because of this retarded limitation. If you operate such a site/service, please fix it.

  • by Bananatree3 (872975) on Friday June 08, 2012 @08:15AM (#40255373)
    And raise you a xkcd 792 []
  • Re:Websites (Score:5, Informative)

    by Sinister Stairs (25573) on Friday June 08, 2012 @08:29AM (#40255517)

    I was going to post the same thing. It's not uncommon to have sites that also limit your password to letters & numbers only.

    (As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)

  • Re:Ha! (Score:5, Informative)

    by zill (1690130) on Friday June 08, 2012 @09:02AM (#40255809)
    Haven't had my first coffee yet, so my sarcasm detector isn't working. In case you're serious:
    Visa always start with 4; MasterCard always start with 5.
    If the attacker knows who you bank with, then they have issuer number (4-6 digits).
    You lose one digit due to the checksum.

    For example, suppose the attacker knows you have a Visa from Chase, then they only have guess 7 digits. That's weaker than a 3 character alphanumeric password.
  • Re:Huh. (Score:5, Informative)

    by Bengie (1121981) on Friday June 08, 2012 @09:32AM (#40256099)
    "5 random lower case characters + one upper case = 26^6 * 6 NOT 52 ^ 6" Wow, who told the hacker that it is a 6 char password with 1 upper case and rest lower case?

    If someone is bruteforcing your password, they can make no assumptions. (alphabet size)^(number of spaces)
    Where (alphabet size) = group your char is in. eg "!" is is part of a 10 char group, so using ! gives your alphabet an extra 10.

    I Lets see, upper and lower, that's 26*2, then "[]", that's another 12, "3", that's 10, * makes it another 10, "~+" is at least 6 but not sure which group. OK... that's an alphabet size of 90 and is 17 chars long. 90^17 = 1.6677181699666569e+33. Almost as strong as a GUID, but easier to remember.
  • Web delay? (Score:4, Informative)

    by Grizzley9 (1407005) on Friday June 08, 2012 @09:37AM (#40256151)
    I'm not a programmer so this may be a dumb question, but do cracking programs somehow go around the normal web interfaces we all usually have to use? Because many that I use only allow a certain number of tries or the refresh time after each unsuccessful attempt is not instant. Sure if you put the program in a standalone it could do the cracking fairly quickly but that's not always real world is it unless you have some direct access to the server?
  • by MasterOfGoingFaster (922862) on Friday June 08, 2012 @09:52AM (#40256351) Homepage

    In his podcast, Steve clearly knows these things. He collected a number of "hacker" tools and studied them before he wrote haystack. I have not looked at his code, so I can't say what he build. But I recall that he said this was a very basic tool that ran on the local machine using Javascript.

    I've had users enter their old passwords and they are universally shocked. It's a pretty good teaching tool for your average office worker.

  • Re:Huh. (Score:4, Informative)

    by Anonymous Coward on Friday June 08, 2012 @10:49AM (#40257185)

    Actually, no. 52^6 is 6 random mixed case characters - a much larger search space than 5 lower + 1 upper. The number you are looking for is much smaller = 26^6 * 6. Here's why - with 5 lower + 1 upper, you have 6 alpha characters = 26^6. If exactly one of them is uppercase, then the search space is only expanded by -- change the first character to upper, change the second to upper, etc = 26^6 * 6. If you think there are passwords outside of that search space, then try to come up with a 5 lower + 1 upper password that cannot be found by looking at ALL combinations of 6 lower and make one of them upper.
    Gibson makes this type of error when he claims that haystacks are a good password technique. He forgets that 1) people are lazy and 2) hackers tune their search strategy because of #1. People who use haystacks do so because they want something easy to remember. So they probably use a dictionary word with minor alterations (all lower+numbers, make one of them uppercase) and then add a bunch of periods. But they can't just add a random bunch of periods - they have to use a number that they can remember (in addition to remembering the password itself), so it's probably no more than 10 (probably 7). A search strategy tuned to this will find passwords much faster than he claims = do the normal 36^n search space of lowercase + numbers, then for each of them, change one of the letters to uppercase. then for each of these passwords (all lower + all of the change one to upper), add 1-10 periods to the end. Assuming the base word is no longer than 8 and the number of periods is no longer than 10, the search space is at most 36^8 * 9 (no lower + at most 8 ways to make one upper) * 10 (number of periods) = much lower than 96^18.
    Of course, you can manipulate the algorithm, but most people are lazy and besides, you have to remember the algorithm you created. If you are not using an easy haystack, you might as well use a nice strong password with a nice password vault.

  • by Srin Tuar (147269) <> on Friday June 08, 2012 @10:59AM (#40257367)

    >then it doesn't really matter how strong your password is

    Well, thats not quite true. A password with 128 bits of entropy is still going to be strong even when hashed unsalted.

    Leaked hash material is really only helpful for finding poor passwords via one of the brute force methods. Lack of salts, or poor salting, is only helpful for rainbow table or rainbow dictionary type attacks.

    Choosing a good password will still help you. The only problem is websites that do one of the various bad behaviors:
    * forcing an capital or digit reduces entropy
    * limititng the max length reduces entropy.

  • Re:Huh. (Score:2, Informative)

    by Carewolf (581105) on Friday June 08, 2012 @11:34AM (#40257931) Homepage

    Pretty much everything you wrote is wrong other than your first line.

    5 random lower case characters + one upper case = 52^6. It would be 26^6 if and only if you knew exactly where the upper case letter was, which is an unreasonable assumption. Adding an upper case letter would eliminate a straight lower-case dictionary attack entirely and double the pool of possible characters from 26 to 52. There are 6 places, so 52^6.

    Sigh. If you can not do combinatorics do not comment on it.

    5 small letters = 26^5 combinations
    1 capital letter = 26 combinations
    Combinations of position of capital letter: 6

    This gives 26^6 * 6..
    Everything I wrote was correct. Try again idiot.

"Catch a wave and you're sitting on top of the world." - The Beach Boys