Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Many Seconds Would It Take To Crack Your Password?

Posted by samzenpus on from the guessing-game dept.

DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."

7 of 454 comments (clear)

  1. Re:Has anyone actually doublechecked his security? by Anonymous Coward · · Score: 5, Insightful

    That's why you enter something lexically similar to it and not the actual password.
    If your /. password is 3 mid-length words and the number 54 added to it, you type in that many letters and the number 11.

    Got "trillion trillions centuries" here :)
    Which really means "lasts until some idiot stores it as plain text."

  2. Re:Poor security by arth1 · · Score: 5, Insightful

    What system would allow someone to make thousands of attempts per second to login?

    That's not the problem. The problem is that the lists of user logins and corresponding hashed passwords get in the wrong hands, whether it be due to bad design and/or coding, insecure software, or unfaithful servants. When you have that list, you run brute force against it to get the actual passwords.

    Breaking into servers is much more attractive than breaking individual user accounts, simply because the yield is so much higher. Make a good trojan delivered through good social engineering, and you may catch 1% of the users. Breach the server, and you get the account info of all of them, and by running a crack session, you likely have 20-50% of the passwords within hours. Choose a very hard to crack password, and they may never get it even if they have the hash.

    This happens a lot more than what we think. A server breach doesn't have to leave traces that anyone actually sees. We mostly know about the cases where the culprits brag about it or publish lists, which is unlikely to be more than the tip of the iceberg.
    Companies are going to insist that their data is safe until proven otherwise, but you're stupid if you believe them.

    Sony, Steam, LinkedIn, eHarmony - there are hundreds of server breaches with stolen user/hash lists that we know about. And likely an enormous amount we don't know about.

  3. Re:This obvious is once again ignored... by zill · · Score: 5, Insightful

    All that is useless when the server gets compromised and the username/hashed password list gets sold to the highest bidder.

  4. It's a terrible article. by jimicus · · Score: 5, Insightful

    I wrote a nice long reply rebutting every single point then lost it when I hit backspace and focus was in the wrong part of the window. Grrr.

    The author gets lots of things confused:

      - He seems unaware that a rainbow table is equally effective against a good password as a bad one.
      - He seems to think a dictionary attack comprises wholly and exclusively of words taken from a dictionary with no added numbers, symbols or punctuation. Bruce Schneier doesn't seem to agree with this, and I'm far more inclined to believe Mr. Schneier.
      - He believes that a likely avenue for attack is constantly guessing a given user's password on a website. Any half-sane web service will block you long before you've tried a few thousand passwords against one username.
      - He fails to note that in the case of LinkedIn, the list of password hashes itself was leaked - and this is Bad News.
      - He also fails to note that in the case of LinkedIn, the password hashes were unsalted - Much Worse News.
      - He also fails to note that if an unsalted list of password hashes is leaked, then it doesn't really matter how strong your password is, it's going to get found rather quickly. There's very little you or I can do about this. You could refuse to use systems that have such terrible security, but usually you only learn their security is this bad when it's far too late.
      - He tops it off by recommending 10 character passwords with symbols and/or numbers. In other words, he falls foul of the problem described by Randall Munroe in XKCD some time ago.

  5. Re:Huh. by hackertourist · · Score: 5, Insightful

    Based on what? You're arguing that Gibson is wrong, but your reasoning amounts to saying "nuh-uh".

    The attacker knows that there are 6 characters in a password. Or does he? I'd want a hashing algorithm that hides the password length by turning any password length into e.g. a 64-character hash.
    Even assuming he knows it's 6 chars, how can he know there are 5 lowercase + 1 uppercase? Assuming the hash doesn't give clues (which would be a weakness in the hash function) I see no way the attacker can infer 5 lowercase + 1 uppercase (and guess correctly at which position the uppercase will be).
    Therefore he has to assume a search space of lowercase+uppercase for all positions, which leads to 52^6.

  6. Re:Huh. by Anonymous Coward · · Score: 5, Insightful

    5 random lower case characters + one upper case = 26^6 * 6.

    6 random case random characters = 26^6 * 2^6 = 52^6.

    Check your own math first.

  7. Wait, what? by glwtta · · Score: 5, Insightful

    with almost unlimited computing power for brute-forcing the decryptt: 6 alphanumeric characters takes 0.0000224 seconds

    With "almost unlimited" computing power any password will almost take "almost no time" to decrypt.

    --
    sic transit gloria mundi