Slow and Steady

Although we’ve made many posts about the importance of password security, have you ever wondered just how long it would take for a well-equipped attacker (having access to clusters or supercomputers) to brute force your password? Or how much more protection you gain from adding some special characters?

If you’re not inclined to crank out the numbers yourself, you might find the answers you’re looking for here.

Here are some basic stats:

• With access to super-computing-like power (trying over 1 billion per second), it only takes about 84 days to crack the common 8 character password (alphanumeric mixed case, including special characters).
• With access to a less powerful class of attack machines (10k per second), without including special symbols, an 8 character mixed-case alphanumeric password would need 692 years to brute force completely.
• Numeric-only passwords are low-hanging fruit.

The data only takes into account the maximum time it would take to brute force a password by exhausting the key space. It does not include tricks or techniques someone might use to optimize an attack. The most significant factor in the success of this approach is the use of the hardware. The price, availability, and power of hardware have a direct bearing on the protection offered by the typical single-factor password authentication scheme. In addition, as technology improves, the barrier to entry for brute forcing will drop, potentially allowing more would-be attackers to try their hand at it. Also, botnets dedicated to brute forcing passwords will get faster as the hosts (typically infected PCs) that comprise their processing power become faster. The golden standard “8 character alphanumeric+special” password is already within reach of a well-funded attacker (and has been for a while).

If you haven’t already, it may be time to start picking longer passwords for important accounts.