How Many Seconds Would It Take To Crack Your Password? 454
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
Link (Score:3, Informative)
https://www.grc.com/haystack.htm
Character X is not allowed! (Score:2, Informative)
Too bad there are still so many services that will not allow special characters in a password during registration. I have to juggle 4 different types of passwords because of this retarded limitation. If you operate such a site/service, please fix it.
I'll see your xkcd 538 (Score:5, Informative)
Re:Websites (Score:5, Informative)
I was going to post the same thing. It's not uncommon to have sites that also limit your password to letters & numbers only.
(As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)
Re:Ha! (Score:5, Informative)
Visa always start with 4; MasterCard always start with 5.
If the attacker knows who you bank with, then they have issuer number (4-6 digits).
You lose one digit due to the checksum.
For example, suppose the attacker knows you have a Visa from Chase, then they only have guess 7 digits. That's weaker than a 3 character alphanumeric password.
Re:Huh. (Score:5, Informative)
If someone is bruteforcing your password, they can make no assumptions. (alphabet size)^(number of spaces)
Where (alphabet size) = group your char is in. eg "!" is is part of a 10 char group, so using ! gives your alphabet an extra 10.
I Lets see, upper and lower, that's 26*2, then "[]", that's another 12, "3", that's 10, * makes it another 10, "~+" is at least 6 but not sure which group. OK... that's an alphabet size of 90 and is 17 chars long. 90^17 = 1.6677181699666569e+33. Almost as strong as a GUID, but easier to remember.
Web delay? (Score:4, Informative)
Re:It's a terrible article. (Score:4, Informative)
In his podcast, Steve clearly knows these things. He collected a number of "hacker" tools and studied them before he wrote haystack. I have not looked at his code, so I can't say what he build. But I recall that he said this was a very basic tool that ran on the local machine using Javascript.
I've had users enter their old passwords and they are universally shocked. It's a pretty good teaching tool for your average office worker.
Re:Huh. (Score:4, Informative)
Actually, no. 52^6 is 6 random mixed case characters - a much larger search space than 5 lower + 1 upper. The number you are looking for is much smaller = 26^6 * 6. Here's why - with 5 lower + 1 upper, you have 6 alpha characters = 26^6. If exactly one of them is uppercase, then the search space is only expanded by -- change the first character to upper, change the second to upper, etc = 26^6 * 6. If you think there are passwords outside of that search space, then try to come up with a 5 lower + 1 upper password that cannot be found by looking at ALL combinations of 6 lower and make one of them upper.
Gibson makes this type of error when he claims that haystacks are a good password technique. He forgets that 1) people are lazy and 2) hackers tune their search strategy because of #1. People who use haystacks do so because they want something easy to remember. So they probably use a dictionary word with minor alterations (all lower+numbers, make one of them uppercase) and then add a bunch of periods. But they can't just add a random bunch of periods - they have to use a number that they can remember (in addition to remembering the password itself), so it's probably no more than 10 (probably 7). A search strategy tuned to this will find passwords much faster than he claims = do the normal 36^n search space of lowercase + numbers, then for each of them, change one of the letters to uppercase. then for each of these passwords (all lower + all of the change one to upper), add 1-10 periods to the end. Assuming the base word is no longer than 8 and the number of periods is no longer than 10, the search space is at most 36^8 * 9 (no lower + at most 8 ways to make one upper) * 10 (number of periods) = much lower than 96^18.
Of course, you can manipulate the algorithm, but most people are lazy and besides, you have to remember the algorithm you created. If you are not using an easy haystack, you might as well use a nice strong password with a nice password vault.
Re:It's a terrible article. (Score:5, Informative)
>then it doesn't really matter how strong your password is
Well, thats not quite true. A password with 128 bits of entropy is still going to be strong even when hashed unsalted.
Leaked hash material is really only helpful for finding poor passwords via one of the brute force methods. Lack of salts, or poor salting, is only helpful for rainbow table or rainbow dictionary type attacks.
Choosing a good password will still help you. The only problem is websites that do one of the various bad behaviors:
* forcing an capital or digit reduces entropy
* limititng the max length reduces entropy.
Re:Huh. (Score:2, Informative)
Sigh. If you can not do combinatorics do not comment on it.
5 small letters = 26^5 combinations
1 capital letter = 26 combinations
Combinations of position of capital letter: 6
This gives 26^6 * 6..
Everything I wrote was correct. Try again idiot.