You may think your password is secure. Maybe you have chosen an obscure word, mixed in numbers, and added a
! to the end. Think you’re pretty safe, huh?
The truth is, you aren’t. I can crack a 5 character password in less then 139 seconds!
We have been trained over time, by
unproven security techniques, to make our passwords contain numbers and letters; sometimes even an
@ or
# or
! is added to the mix.
But the truth is, we are only making it harder on ourselves with passwords that are difficult to remember, but
easy to guess in a brute-force attack (automated hacking software).
Although a 128-character totally random password would be phenomenal, 8 characters is about all that can be enforced without frustrating users. However, an 8-character password comprised of uppercase, lowercase, and numbers can be cracked overnight in a real world brute-force attack.
The Scoop on Alpha-Numeric Passwords
Even though we are trained to think that a password of
Blu3D0g5 is the most secure type of password, it can still be cracked by a brute-force attack.
Bare with me while I explain… with some maths!
For every character in an alpha-numeric password there are
62 possibilities. First, you have the
26 character alphabet in lowercase, then
26 more in uppercase, and
10 digits.
26 + 26 + 10 = 62This is to say that if you choose 8 characters,
completely at random, your password would be very secure. However, we typically take a familiar word, or couple
of words, and add some uppercase letters, or replace
e with
3, etc… which is
not secure.
When we calculate the Information Entropy (known as the lack of order or predictability) we can see that a completely random character set is great, but when it is derived from an English word, or contains a date, it is simply terrible. The equation looks like this:
[Password_Length] * log2([Number_of_Possibilities]) = "Information Entropy"8 * log2(62) = "~48 bits"
# which would take almost 9,000 years at 1,000 guesses per secondBut, when your password isn’t completely random, it’s not that simple.
Because the password we chose was actually two words,
blue and
dogs, with some uppercase and numbers mixed in, the total Entropy is
MUCH less. Something closer to
~28 bits.
So let’s calculate what this actually means. A brute-force attacker can easily guess 1,000 times per second. The total number of options to guess can be calculated by taking the base 2 to the total number of bits.
2^28 = 268,435,456
# This is the total number of possibilities the password could be.In theory though, an attacker only needs to guess about half the total number of options before stumbling upon the correct one. So:
268,435,456 / 2 = 134,217,728
# Total number of guesses it takes to guess your password
134,217,728 / 1,000 = ~134,218
# At 1,000 guesses per second, it takes about 134,218 seconds
134,218 / 60 = ~2,237
# Or 2,237 minutes
2,237 / 60 = ~37
# Or 37 hours to guess your passwordIn Contrast
Let’s say we use 4
random words, without any numbers, and all lowercase. For example:
yellow
tiger
note
basket. There are an incalculable amount of words for you to choose from, but most likely, you will choose from
about 7,000 of the most commonly used words. If you use unique words like
laggardly or
pomological, the total time to crack your password will increase
exponentially!
Using this new data, the Information Entropy is now calculated as:
[Number_of_words] * log2(7,000)So, this new password now has
~51 bits of Entropy, and using the same time calculations above, we estimate our password would take about
35,702 years to crack at the rate of 1,000 guesses per second.
That is in stark contrast to the short 37 hours it takes to crack the
Blu3D0g5 password.
The Take Away
By simply increasing the length of our passwords and using words randomly mixed together, we can have the most secure passwords
that attackers will struggle to figure out, but that we can actually remember. I personally will never forget
yellow
tiger
note
basket as long as I live. However, now I can’t use it.