How much time is needed to crack a password by brute-force?

Printer-friendly version

How much time is needed to crack a password by brute-force? If the password cannot be guessed and is not found in a dictionary, the cracker has to try a brute-force attack. When brute-forcing, the time to crack the password depends on the amount of possible passwords that the cracker has to try. The amount of possible passwords increases with password length and with increasing diversity of characters being used (complexity). Let's take the scenario of a cracker trying 15 million passwords per second. This is currently the maximum speed being claimed by password cracker vendors. You need a pretty fast computer to achieve this. The following table shows the computed time to crack a password with 15 million tries per second. Notice the incredible increase in time to try all possible combinations when password length and complexity increase.

length: 4, complexity: a-z==> less than 1 second

length: 4, complexity: a-zA-Z0-9 + symbols==> 4.8 seconds

length: 5, complexity: a-zA-Z==> 25 seconds

length: 6, complexity: a-zA-Z0-9==> 1 hour

length: 6, complexity: a-zA-Z0-9 + symbols==> 11 hours

length: 7, complexity: a-zA-Z0-9 + symbols==> 6 weeks

length: 8, complexity: a-zA-Z0-9==> 5 months

length: 8, complexity: a-zA-Z0-9 + symbols==> 10 years

length: 9, complexity: a-zA-Z0-9 + symbols==> 1000 years

length: 10, complexity: a-zA-Z0-9==> 1700 years

length: 10, complexity: a-zA-Z0-9 + symbols==> 91800 years

What we see is that: * any password shorter than 5 characters can be cracked within 5 seconds * any password shorter than 7 characters can be cracked within a day. * With the password length of 9, the cracking time goes to hundreds of years. In most cases this can be considered acceptable while mostly we need to keep a secret for a maximum of 30 years. To be on the safe side, we recommend a minimum password length of 10 characters. Note: the crack times mentioned in the table are needed to try all the possible passwords. There is a great chance that the cracker only needs 50% of this time. Also bear in mind that a cracker can always have a lucky shot at his first try and crack the password immediately. The chance is very small, but theoretically it is possible.

About the Author:

TopLine Strategies delivers the complete integration and development of sales, marketing and customer service technologies that enable corporate clientele to improve revenue streams and strengthen customer interactions. Our project management and consulting is designed to achieve timely delivery, 100 percent user adoption of the technologies we implement and deliver measurable returns on investments for our clients.

Comments (0)

Related Blogs

TheReact Native Open Source roadmap was announced in Q4 2018 after they decided to invest more in the React Native open source community.

October is not just about pumpkins, fall foliage, and cooler temps anymore. October 2018 also means the exciting introduction of Microsoft Dynamics 365 for Customer Engagement.

Back in 2016, Microsoft introduced its intentions to refresh its CRM and ERP strategy with Dynamics 365. At the heart of its services was the Common Data Model (CDM).