You may think your password is secure. Maybe you have chosen an obscure word, mixed in numbers, and added a ! to the end. Think you’re pretty safe, huh?

The truth is, you aren’t. I can crack a 5 character password in less then 139 seconds!

We have been trained over time, by unproven security techniques, to make our passwords contain numbers and letters; sometimes even an @ or # or ! is added to the mix. But the truth is, we are only making it harder on ourselves with passwords that are difficult to remember, but easy to guess in a brute-force attack (automated hacking software).

Although a 128-character totally random password would be phenomenal, 8 characters is about all that can be enforced without frustrating users. However, an 8-character password comprised of uppercase, lowercase, and numbers can be cracked overnight in a real world brute-force attack.

The Scoop on Alpha-Numeric Passwords

Even though we are trained to think that a password of Blu3D0g5 is the most secure type of password, it can still be cracked by a brute-force attack.

Bare with me while I explain… with some maths!

For every character in an alpha-numeric password there are 62 possibilities. First, you have the 26 character alphabet in lowercase, then 26 more in uppercase, and 10 digits.

26 + 26 + 10 = 62

This is to say that if you choose 8 characters, completely at random, your password would be very secure. However, we typically take a familiar word, or couple of words, and add some uppercase letters, or replace e with 3, etc… which is not secure.

When we calculate the Information Entropy (known as the lack of order or predictability) we can see that a completely random character set is great, but when it is derived from an English word, or contains a date, it is simply terrible. The equation looks like this:

[Password_Length] * log2([Number_of_Possibilities]) = "Information Entropy"
8 * log2(62) = "~48 bits"
# which would take almost 9,000 years at 1,000 guesses per second

But, when your password isn’t completely random, it’s not that simple.

Because the password we chose was actually two words, blue and dogs, with some uppercase and numbers mixed in, the total Entropy is MUCH less. Something closer to ~28 bits.

So let’s calculate what this actually means. A brute-force attacker can easily guess 1,000 times per second. The total number of options to guess can be calculated by taking the base 2 to the total number of bits.

2^28 = 268,435,456
# This is the total number of possibilities the password could be.

In theory though, an attacker only needs to guess about half the total number of options before stumbling upon the correct one. So:

268,435,456 / 2 = 134,217,728
# Total number of guesses it takes to guess your password

134,217,728 / 1,000 = ~134,218
# At 1,000 guesses per second, it takes about 134,218 seconds

134,218 / 60 = ~2,237
# Or 2,237 minutes

2,237 / 60 = ~37
# Or 37 hours to guess your password

In Contrast

Let’s say we use 4 random words, without any numbers, and all lowercase. For example: yellow tiger note basket. There are an incalculable amount of words for you to choose from, but most likely, you will choose from about 7,000 of the most commonly used words. If you use unique words like laggardly or pomological, the total time to crack your password will increase exponentially!

Using this new data, the Information Entropy is now calculated as:

[Number_of_words] * log2(7,000)

So, this new password now has ~51 bits of Entropy, and using the same time calculations above, we estimate our password would take about 35,702 years to crack at the rate of 1,000 guesses per second.

That is in stark contrast to the short 37 hours it takes to crack the Blu3D0g5 password.

The Take Away

By simply increasing the length of our passwords and using words randomly mixed together, we can have the most secure passwords that attackers will struggle to figure out, but that we can actually remember. I personally will never forget yellow tiger note basket as long as I live. However, now I can’t use it.