Although we’ve made many posts about the importance of password security, have you ever wondered just how long it would take for a well-equipped attacker (having access to clusters or supercomputers) to brute force your password? Or how much more protection you gain from adding some special characters?

If you’re not inclined to crank out the numbers yourself, you might find the answers you’re looking for here.

Here are some basic stats:

  • With access to super-computing-like power (trying over 1 billion per second), it only takes about 84 days to crack the common 8 character password (alphanumeric mixed case, including special characters).
  • With access to a less powerful class of attack machines (10k per second), without including special symbols, an 8 character mixed-case alphanumeric password would need 692 years to brute force completely.
  • Numeric-only passwords are low-hanging fruit.

The data only takes into account the maximum time it would take to brute force a password by exhausting the key space. It does not include tricks or techniques someone might use to optimize an attack. The most significant factor in the success of this approach is the use of the hardware. The price, availability, and power of hardware have a direct bearing on the protection offered by the typical single-factor password authentication scheme. In addition, as technology improves, the barrier to entry for brute forcing will drop, potentially allowing more would-be attackers to try their hand at it. Also, botnets dedicated to brute forcing passwords will get faster as the hosts (typically infected PCs) that comprise their processing power become faster. The golden standard “8 character alphanumeric+special” password is already within reach of a well-funded attacker (and has been for a while).

If you haven’t already, it may be time to start picking longer passwords for important accounts.

One thought on “Slow and Steady

  1. Ben Tomhave says:

    The situation is even more dire than you describe. The link you cite is about 18 months old (from July 2009), and much has changed since then. In particular, Amazon EC2 now has GPU clusters available, which have been used to benchmark cracking passwords. While the individual password-cracking speeds are only perhaps slightly better, what’s important is that you can now run 100s of parallel threads to greatly increase cracking speed.

    Incidentally, one of the announcements out of Black Hat DC this week is a soon-to-be-released tool to crack WPA-PSK passwords in the Amazon cloud at a pace of around 400k attempts per second (which will only improve with time).

Comments are closed.