T-Mo
Well-known member
- Joined
- Jan 22, 2009
- Messages
- 428
- displayname
- Terry Reed
Why You Make Your Passwords Long
Have you ever wondered how long it takes an attacker to try all possible pass-words of five lowercase letters from a-z? Well, there are only 265, or about 11 million total passwords to guess during a brute force search. With the sophisticated password cracker programs, this isn’t rocket science.
Searching dictionary words might even more quickly find the password. An eight character password, chosen from lowercase and uppercase a-z, plus digits 0-9 is a much larger space of passwords to guess by brute force, 628 or about 200 trillion, and is more difficult to find with dictionary attacks, too.
These are all worst case efforts, and the National Institute of Technology & Standards (NIST) estimates far less entropy in user chosen passwords. Having less entropy means that attackers can use heuristics to search the password space more intelligently than brute force.
Attackers also harness the parallel processing power of graphics cards to help with their attack. But, for brute force attacks, assuming 10,000 password attempts per second, the length and character set of the passwords can make a big difference.
Time to brute force password space, assuming 10,000 attempts per second:
Length—5 characters
√ Lowercase only—19 min
√ Upper/lowercase, digits—1 day
√ Upper/lower/digits/punctuation—8 days
Length—6 characters:
√ Lowercase only—8 hrs
√ Upper/lowercase/digits—65 days
√ Upper/lower/digits/punctuation—2 yrs
Length—7 characters:
√ Lowercase only—9 days
√ Upper/lowercase/digits—11 yrs
√ Upper/lowercase/digits/punctuation— 200 yrs
Length—8 characters:
√ Lowercase only—241 days
√ Upper/lowercase/digits—692 yrs
√ Upper/lower/digits/punctuation— 19,000 yrs
Length—9 characters:
√ Lowercase only—17 yrs
√ Upper/lowercase/digits—42,000 yrs
√ Upper/lower/digits/punctuation— 1.8 million yrs
Have you ever wondered how long it takes an attacker to try all possible pass-words of five lowercase letters from a-z? Well, there are only 265, or about 11 million total passwords to guess during a brute force search. With the sophisticated password cracker programs, this isn’t rocket science.
Searching dictionary words might even more quickly find the password. An eight character password, chosen from lowercase and uppercase a-z, plus digits 0-9 is a much larger space of passwords to guess by brute force, 628 or about 200 trillion, and is more difficult to find with dictionary attacks, too.
These are all worst case efforts, and the National Institute of Technology & Standards (NIST) estimates far less entropy in user chosen passwords. Having less entropy means that attackers can use heuristics to search the password space more intelligently than brute force.
Attackers also harness the parallel processing power of graphics cards to help with their attack. But, for brute force attacks, assuming 10,000 password attempts per second, the length and character set of the passwords can make a big difference.
Time to brute force password space, assuming 10,000 attempts per second:
Length—5 characters
√ Lowercase only—19 min
√ Upper/lowercase, digits—1 day
√ Upper/lower/digits/punctuation—8 days
Length—6 characters:
√ Lowercase only—8 hrs
√ Upper/lowercase/digits—65 days
√ Upper/lower/digits/punctuation—2 yrs
Length—7 characters:
√ Lowercase only—9 days
√ Upper/lowercase/digits—11 yrs
√ Upper/lowercase/digits/punctuation— 200 yrs
Length—8 characters:
√ Lowercase only—241 days
√ Upper/lowercase/digits—692 yrs
√ Upper/lower/digits/punctuation— 19,000 yrs
Length—9 characters:
√ Lowercase only—17 yrs
√ Upper/lowercase/digits—42,000 yrs
√ Upper/lower/digits/punctuation— 1.8 million yrs