Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Many Seconds Would It Take To Crack Your Password?

Posted by samzenpus on from the guessing-game dept.

DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."

35 of 454 comments (clear)

  1. Huh. by Anonymous Coward · · Score: 5, Funny

    I wonder if he's caching every string entered into a dictionary file...

    1. Re:Huh. by jonadab · · Score: 4, Insightful

      You don't ask about your actual password. You check one that's similarly complex.

      However, I noticed that he's not *checking* a dictionary file when evaluating password strength. The actual strength of a password like "spastic-elongated-kremlinitude" is pretty good, but his checker's figure of four hundred thousand trillion trillion centuries to crack with a high-end cluster is optimistic beyond the bounds of all reason. That would be naively building it up character by character, and *nobody* does naive character-by-character brute forcing for passwords that long. That's like building a skyscraper without power tools.

      --
      Cut that out, or I will ship you to Norilsk in a box.
    2. Re:Huh. by Anonymous Coward · · Score: 4, Insightful

      Pretty much everything you wrote is wrong other than your first line.

      5 random lower case characters + one upper case = 52^6. It would be 26^6 if and only if you knew exactly where the upper case letter was, which is an unreasonable assumption. Adding an upper case letter would eliminate a straight lower-case dictionary attack entirely and double the pool of possible characters from 26 to 52. There are 6 places, so 52^6.

      You make the same mistake in several other locations.

      To address your other claim, "Adding one extra capital, number or symbol to a password does not increase password strength that much." ... You make this claim only because your math is so hilariously wrong.

    3. Re:Huh. by hackertourist · · Score: 5, Insightful

      Based on what? You're arguing that Gibson is wrong, but your reasoning amounts to saying "nuh-uh".

      The attacker knows that there are 6 characters in a password. Or does he? I'd want a hashing algorithm that hides the password length by turning any password length into e.g. a 64-character hash.
      Even assuming he knows it's 6 chars, how can he know there are 5 lowercase + 1 uppercase? Assuming the hash doesn't give clues (which would be a weakness in the hash function) I see no way the attacker can infer 5 lowercase + 1 uppercase (and guess correctly at which position the uppercase will be).
      Therefore he has to assume a search space of lowercase+uppercase for all positions, which leads to 52^6.

    4. Re:Huh. by Bengie · · Score: 5, Informative

      "5 random lower case characters + one upper case = 26^6 * 6 NOT 52 ^ 6" Wow, who told the hacker that it is a 6 char password with 1 upper case and rest lower case?

      If someone is bruteforcing your password, they can make no assumptions. (alphabet size)^(number of spaces)
      Where (alphabet size) = group your char is in. eg "!" is is part of a 10 char group, so using ! gives your alphabet an extra 10.

      I Lets see, upper and lower, that's 26*2, then "[]", that's another 12, "3", that's 10, * makes it another 10, "~+" is at least 6 but not sure which group. OK... that's an alphabet size of 90 and is 17 chars long. 90^17 = 1.6677181699666569e+33. Almost as strong as a GUID, but easier to remember.

    5. Re:Huh. by Anonymous Coward · · Score: 5, Insightful

      5 random lower case characters + one upper case = 26^6 * 6.

      6 random case random characters = 26^6 * 2^6 = 52^6.

      Check your own math first.

    6. Re:Huh. by chill · · Score: 5, Funny

      Mine is huge but then again I found an easy way to get a huge password...anybody seen how big the serial is on your average bass? Its got uppercase, lowercase, numbers and symbols and its pretty long and since I know my babies and never sell them its a pretty easy set of long passwords to keep up with.

      If I ever catch a bass with a serial number, I'll give up fishing. Do you work in some genetics testing lab or something?

      --
      Learning HOW to think is more important than learning WHAT to think.
    7. Re:Huh. by Anonymous Coward · · Score: 4, Informative

      Actually, no. 52^6 is 6 random mixed case characters - a much larger search space than 5 lower + 1 upper. The number you are looking for is much smaller = 26^6 * 6. Here's why - with 5 lower + 1 upper, you have 6 alpha characters = 26^6. If exactly one of them is uppercase, then the search space is only expanded by -- change the first character to upper, change the second to upper, etc = 26^6 * 6. If you think there are passwords outside of that search space, then try to come up with a 5 lower + 1 upper password that cannot be found by looking at ALL combinations of 6 lower and make one of them upper.
      Gibson makes this type of error when he claims that haystacks are a good password technique. He forgets that 1) people are lazy and 2) hackers tune their search strategy because of #1. People who use haystacks do so because they want something easy to remember. So they probably use a dictionary word with minor alterations (all lower+numbers, make one of them uppercase) and then add a bunch of periods. But they can't just add a random bunch of periods - they have to use a number that they can remember (in addition to remembering the password itself), so it's probably no more than 10 (probably 7). A search strategy tuned to this will find passwords much faster than he claims = do the normal 36^n search space of lowercase + numbers, then for each of them, change one of the letters to uppercase. then for each of these passwords (all lower + all of the change one to upper), add 1-10 periods to the end. Assuming the base word is no longer than 8 and the number of periods is no longer than 10, the search space is at most 36^8 * 9 (no lower + at most 8 ways to make one upper) * 10 (number of periods) = much lower than 96^18.
      Of course, you can manipulate the algorithm, but most people are lazy and besides, you have to remember the algorithm you created. If you are not using an easy haystack, you might as well use a nice strong password with a nice password vault.

  2. Ha! by 2.7182 · · Score: 5, Funny

    That's silly. I just use my SS#. That has a LOT of digits. Who is going to guess that?

    1. Re:Ha! by agentgonzo · · Score: 5, Funny

      "SS#" is a rubbish password with just three characters. It takes only 0.00000209 seconds to crack it according to the tool.

    2. Re:Ha! by TeknoHog · · Score: 4, Funny

      "my SS#" my #ss.

      --
      Escher was the first MC and Giger invented the HR department.
    3. Re:Ha! by ciderbrew · · Score: 5, Funny

      You had your #ss cracked ages ago...



      really no need for that :)

    4. Re:Ha! by rolfwind · · Score: 5, Funny

      Really? Mine takes much longer than that. You should post it. Don't worry, it will appear as ***-**-*** on our screens just like mine did on yours just now. I just want to copy and paste it in the Steve Gibson's Interactive Brute Force Password Search Space Calculator to verify what you said.

    5. Re:Ha! by zill · · Score: 5, Informative

      Haven't had my first coffee yet, so my sarcasm detector isn't working. In case you're serious:
      Visa always start with 4; MasterCard always start with 5.
      If the attacker knows who you bank with, then they have issuer number (4-6 digits).
      You lose one digit due to the checksum.

      For example, suppose the attacker knows you have a Visa from Chase, then they only have guess 7 digits. That's weaker than a 3 character alphanumeric password.

    6. Re:Ha! by Anonymous Coward · · Score: 5, Funny

      hunter2

    7. Re:Ha! by TeknoHog · · Score: 4, Funny

      So that's why you call it the pound sign.

      --
      Escher was the first MC and Giger invented the HR department.
  3. Websites by SJHillman · · Score: 4, Interesting

    There's still websites out there that limit you to 8 characters maximum. When Citi held my student loans (studentloans.com), their website would just use the first 8 characters of whatever password you entered.... of course, the field would accept more and they wouldn't tell you this so the first time you went to log in, it was a very WTF moment because you'd get a Password Incorrect error even though the password matched the one you signed up with. It was one of the main reasons I was actually happy when they sold my loan to Sallie Mae six months ago.

    1. Re:Websites by Gideon+Wells · · Score: 5, Funny

      My one bank does that. It irks me to no end. Kind of like an unmatched (.

      --
      by Anonymous Coward: I, for one, welcome the shift from car analogies to pizza analogies. um.. overlords?
    2. Re:Websites by SJHillman · · Score: 5, Funny

      )

      You're gonna break stuff if you keep leaving unmatched (

    3. Re:Websites by Anonymous Coward · · Score: 5, Funny

      )

      Fucker.

    4. Re:Websites by Sinister+Stairs · · Score: 5, Informative

      I was going to post the same thing. It's not uncommon to have sites that also limit your password to letters & numbers only.

      (As an aside, the most heinous are the websites where you Forgot your password? and they email it right back to you in plaintext.)

    5. Re:Websites by kahless62003 · · Score: 5, Funny

      c-c-c-combo breaker!)

  4. Has anyone actually doublechecked his security? by Bananatree3 · · Score: 4, Funny

    Not to be suspicious, but "doublecheck you password strength! Just enter your passwords below...." even from a relatively trusted source is a little tough to trust....

    1. Re:Has anyone actually doublechecked his security? by Anonymous Coward · · Score: 5, Insightful

      That's why you enter something lexically similar to it and not the actual password.
      If your /. password is 3 mid-length words and the number 54 added to it, you type in that many letters and the number 11.

      Got "trillion trillions centuries" here :)
      Which really means "lasts until some idiot stores it as plain text."

  5. I'll see your xkcd 538 by Bananatree3 · · Score: 4, Informative

    And raise you a xkcd 792

  6. Re:Almost Unlimited? by TwentyCharsIsNotEnou · · Score: 4, Funny

    If the computing power was "almost unlimited" you could crack any password you want since it is essentially unbounded in its parallelism.

    Well, almost any password.

  7. Interactive password tester? by pev · · Score: 4, Insightful

    What a great way to generate a new wordlist...

  8. MS Office CD Key by Anonymous Coward · · Score: 5, Interesting

    I worked on a random desktop rollout contract that was paying stupid amounts of money, and one evening I observed one of my fellow contractors entering his password.

    clickity clickity clickity clickity...

    I said "wow... hardcore password", he replied "yeah, I worked on a contract before this where we had to manually put in the MS Office CD Key across a few hundred desktops, so I've memorised it. It's now my go-to password"

    Must have been the only time I've seen an MS CD-Key actually being wanted.

    Pasting the first CD Key I could find on serials.ws (V4933-88FR7-9P3KK-D2QF4-9M9CM) into the GRC tool produced:

    Online Attack Scenario:
    (Assuming one thousand guesses per second) 68.45 thousand trillion trillion trillion centuries

    Offline Fast Attack Scenario:
    (Assuming one hundred billion guesses per second) 6.84 hundred million trillion trillion centuries

    Massive Cracking Array Scenario:
    (Assuming one hundred trillion guesses per second) 6.84 hundred thousand trillion trillion centuries

    Anyway, in actual practice: passphrases using 2-3 words. I've found that 4 words and above is a bit much. And writing down your password/passphrase on a post-it is not a bad thing so long as your obfuscate it!

  9. Re:Poor security by arth1 · · Score: 5, Insightful

    What system would allow someone to make thousands of attempts per second to login?

    That's not the problem. The problem is that the lists of user logins and corresponding hashed passwords get in the wrong hands, whether it be due to bad design and/or coding, insecure software, or unfaithful servants. When you have that list, you run brute force against it to get the actual passwords.

    Breaking into servers is much more attractive than breaking individual user accounts, simply because the yield is so much higher. Make a good trojan delivered through good social engineering, and you may catch 1% of the users. Breach the server, and you get the account info of all of them, and by running a crack session, you likely have 20-50% of the passwords within hours. Choose a very hard to crack password, and they may never get it even if they have the hash.

    This happens a lot more than what we think. A server breach doesn't have to leave traces that anyone actually sees. We mostly know about the cases where the culprits brag about it or publish lists, which is unlikely to be more than the tip of the iceberg.
    Companies are going to insist that their data is safe until proven otherwise, but you're stupid if you believe them.

    Sony, Steam, LinkedIn, eHarmony - there are hundreds of server breaches with stolen user/hash lists that we know about. And likely an enormous amount we don't know about.

  10. Re:This obvious is once again ignored... by zill · · Score: 5, Insightful

    All that is useless when the server gets compromised and the username/hashed password list gets sold to the highest bidder.

  11. Post-it by jmccue · · Score: 5, Funny

    Well I entered in "Go to my office and look at the post-it on my terminal" and it said that will take "4.97 hundred billion trillion trillion trillion trillion trillion trillion centuries"

  12. It's a terrible article. by jimicus · · Score: 5, Insightful

    I wrote a nice long reply rebutting every single point then lost it when I hit backspace and focus was in the wrong part of the window. Grrr.

    The author gets lots of things confused:

      - He seems unaware that a rainbow table is equally effective against a good password as a bad one.
      - He seems to think a dictionary attack comprises wholly and exclusively of words taken from a dictionary with no added numbers, symbols or punctuation. Bruce Schneier doesn't seem to agree with this, and I'm far more inclined to believe Mr. Schneier.
      - He believes that a likely avenue for attack is constantly guessing a given user's password on a website. Any half-sane web service will block you long before you've tried a few thousand passwords against one username.
      - He fails to note that in the case of LinkedIn, the list of password hashes itself was leaked - and this is Bad News.
      - He also fails to note that in the case of LinkedIn, the password hashes were unsalted - Much Worse News.
      - He also fails to note that if an unsalted list of password hashes is leaked, then it doesn't really matter how strong your password is, it's going to get found rather quickly. There's very little you or I can do about this. You could refuse to use systems that have such terrible security, but usually you only learn their security is this bad when it's far too late.
      - He tops it off by recommending 10 character passwords with symbols and/or numbers. In other words, he falls foul of the problem described by Randall Munroe in XKCD some time ago.

    1. Re:It's a terrible article. by Srin+Tuar · · Score: 4, Informative

      >then it doesn't really matter how strong your password is

      Well, thats not quite true. A password with 128 bits of entropy is still going to be strong even when hashed unsalted.

      Leaked hash material is really only helpful for finding poor passwords via one of the brute force methods. Lack of salts, or poor salting, is only helpful for rainbow table or rainbow dictionary type attacks.

      Choosing a good password will still help you. The only problem is websites that do one of the various bad behaviors:
      * forcing an capital or digit reduces entropy
      * limititng the max length reduces entropy.

  13. Re:obligatory xkcd.... by Skarecrow77 · · Score: 4, Insightful

    let's say you know 100% for sure that somebody is using xkcd's method.

    there are 15,222 words in the english language according to oxford english dictionary. how many are common 5, 6, and 7 letter words? hard to say for sure. I think 3000 or 4000 would be a good conservative guess, what do you think? let's say 3000 to err on the side of caution.

    how many combinations of common 5,6, and 7 letter words does that give us to build a password based on xkcd's suggestion?
    3000^4
    that's 8.1 x 10^13 discrete combinations, counting the ability to reuse the same word.

    I'm asuming you didn't build a plaintext dictionary with all those possible combinations... at 1 byte per letter, and an average of 6 bytes per component word, that's 4.86 x 10^14 bytes, or a 442 terrabyte dictionary file. where the hell are you storing that?

    no, i'm assuming you probably built a program specifically to build combinations of component words and brute force using that. sure that will eventually work, after it goes through its 8.1 x 10^13 itterartions (worst case)... but hell, why are you trying to crack that hard a password when there are thousands out people out there whose password is just "Password1"? the club doesn't make your car theftproof, it just makes it less inviting to the thief than the car next to it. you don't need to outrun the lion, you just need to outrun the slowest person in your group.

    and this is all assuming:
    1. you somehow -know- which password generation method the person is using
    2. they didn't do what I do with that method, and throw a few uppercase and numbers in there anyway.

  14. Wait, what? by glwtta · · Score: 5, Insightful

    with almost unlimited computing power for brute-forcing the decryptt: 6 alphanumeric characters takes 0.0000224 seconds

    With "almost unlimited" computing power any password will almost take "almost no time" to decrypt.

    --
    sic transit gloria mundi