Tech talk, social media, blogging, computing tips and tricks
How quickly can your password be cracked?
July 1st, 2010 · by David Bradley >> 4 Comments
Mike on ghacks has posted an interesting introduction to password strength. You may think your password is strong, but the range of times required to crack passwords of different types goes from essentially instantaneous (for any 3-character password, e.g. 3D%) to several years for an 8-character password of mixed case alphanumerics and symbols (e.g. 4$Gqvt}k).
Mike displays a nice table to show the range of crackability:
His top tip for passwords? “Choose one or two super-strong passwords and change the passwords on every website you have an account with to those.”
My own tip is to use a password manager, allow it to create a different random super strong password for every site and then create a super strong master password. Use an offline password manager that does not store your passwords on its servers whether encrypted or not.
Password articles
- Researchers: Poor password practices hurt security for all
- Hack-Proof Your Blog
- Password Security – Choosing Strong Passwords
4 responses so far ↓
SwBratcher // Jul 19, 2010 at 4:46 pm
Can you add a few more rows to your table? I’d like to see how more lengths play out.
Renee // Jul 19, 2010 at 8:26 pm
A better “hot tip” is to create several super-strong passwords and then vary a portion of them depending on the website name. eg
azSup3r#S740ng! – Amazon.com
ppSup3r#S740ng! – PayPal
gmSup3r#S740ng! – GMail
… that way if one gets somehow into the wild it will mean you’ll have a bit of time to change the others, as they won’t all be identical. It’s really not good practice to use the same password on different sites, and this method at least mitigates against that.
Luke // Jul 20, 2010 at 2:13 am
This article is sensationalistic. First, the conslusion is absurd, and, second, there’s little stated here as to how the conclusion is arrived.
I can only guess that the author assumes a hacker can submit unlimited login attempts in a given time frame to the system they’re trying to break. And, more importantly, won’t trip any alarms in the process.
For most high security sites and software, the third failed login attempt causes alarms to be tripped and login attempts are suspended for a lengthy time period (be it 10 minutes or a day). Not to mention, but by the thousandth failed login attempt you’re sure to raise the suspiscious eye of any high stake institution who deals with fraud, spoofing, man in the middle and a thousand other types of attacks on a daily basis.
Even if the hacker doesn’t raise the weary eye of the institution it is breaking into, this login suspension stops hackers from trying a hundred login attempts in a say a minute.
Relying on a password manager to remember all your passwords is a bad idea. What happens when your system crashes or when you want to login from a different machine?
Not to mention, but using
srbuzzer // Jul 21, 2010 at 8:31 am
How strong would a password like this be: samplesample22. Does the word repetition make it more vulnerable than if there were no character pattern repetitions?