Password Hacking Time Comparison

One of the largest chasms in computer security is the distance between good password practices and their actual use.

Everyone knows by now that the longer and more complex a password, the harder it is to break using commonly available password cracking tools. Yet people continue to employ short, simplistic passwords that don't survive three minutes of a brute force or dictionary attack.

If you want some examples of the most common passwords, click here. If you have a password on that list, just remember that the rest of the internet is using it too.

At what point does a password achieve enough complexity to be effective without requiring you to write it down on a Post-It note that you hide in your desk drawer or under your keyboard? Perhaps this chart, provided by Forever Geek, will help.

Passwords containing lowercase letters only are quite obviously not a deterrent to rudimentary cracking tools. Simply adding capital letters and/or special characters ($,&,#,+) to the mix takes the average cracking time for a seven-character password from 2.23 hours to 2.21 years.

Back when I was teaching computer security classes, I took this a little bit further as I explained the difference between using a simple password that Microsoft products would turn into an easily-cracked hash stored in the local SAM and in Active Directory, and instead typing a more complex 15-character string that Windows turns into a LM hash value that cannot be used to authenticate the user, making it closer to being the Fort Knox of passwords.

It's as easy as using a passphrase - a series of words that's easily remembered, hard to brute force attack, but not so cumbersome that you can't use it regularly. The example passphrase I used was ILikeStinkyCheese.

The result: Seventeen characters, both upper and lower case, in an easily-remembered format. Let's take a look at what that does the cracking times according to the chart:

• lowercase only moves to more than 2.046 millenia
• all characters moves to more than 154,640,721,434 millenia

Do I think that people will move to seventeen character passphrases? Heck no. And there's still a very large threat of keystroke loggers and malware capturing your password as you type it in, so whether it's five characters or fifty, if someone is stealing it as you type it, you've got bigger problems.

The point is to make the bad guys work for it, and to eliminate the low-hanging fruit.

Most people close the front door to their house when they're not home. That keeps normal crooks from wandering inside. The majority of us also lock the door, which keeps out all but the most determined thieves.  Others add deadbolts, alarms, and vicious attack poodles.

Each layer of additional security increases the complexity needed for a successful attack, and therefore eliminates most would-be attackers from targeting you in the first place. It's much easier to move on to the four houses down the road with open doors.

It's easy, it's fast, and it's effective. You're welcome.