How much time is needed to crack a password by brute-force?
If the password cannot be guessed and is not found in a dictionary, the cracker has to try a brute-force attack. When brute-forcing, the time to crack the password depends on the amount of possible passwords that the cracker has to try. The amount of possible passwords increases with password length and with increasing diversity of characters being used (complexity).
Let’s take the scenario of a cracker trying 15 million passwords per second. This is currently the maximum speed being claimed by password cracker vendors. You need a pretty fast computer to achieve this. The following table shows the computed time to crack a password with 15 million tries per second. Notice the incredible increase in time to try all possible combinations when password length and complexity increase.
length: 4, complexity: a-z ==> less than 1 second
length: 4, complexity: a-zA-Z0-9 + symbols ==> 4.8 seconds
length: 5, complexity: a-zA-Z ==> 25 seconds
length: 6, complexity: a-zA-Z0-9 ==> 1 hour
length: 6, complexity: a-zA-Z0-9 + symbols ==> 11 hours
length: 7, complexity: a-zA-Z0-9 + symbols ==> 6 weeks
length: 8, complexity: a-zA-Z0-9 ==> 5 months
length: 8, complexity: a-zA-Z0-9 + symbols ==> 10 years
length: 9, complexity: a-zA-Z0-9 + symbols ==> 1000 years
length: 10, complexity: a-zA-Z0-9 ==> 1700 years
length: 10, complexity: a-zA-Z0-9 + symbols ==> 91800 years
What we see is that:
* any password shorter than 5 characters can be cracked within 5 seconds
* any password shorter than 7 characters can be cracked within a day.
* With the password length of 9, the cracking time goes to hundreds of years. In most cases this can be considered acceptable while mostly we need to keep a secret for a maximum of 30 years.
To be on the safe side, we recommend a minimum password length of 10 characters.
Note: the crack times mentioned in the table are needed to try all the possible passwords. There is a great chance that the cracker only needs 50% of this time. Also bear in mind that a cracker can always have a lucky shot at his first try and crack the password immediately. The chance is very small, but theoretically it is possible.
Tags: brute force attack, Cybersecurity, password cracking, security
The number of tries per second also depends on the speed of the hardware the attacker is using.
Here are some baselines based on typical hardware.
A. 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100
B. 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100
C. 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100
D. 10,000,000 Passwords/sec
Fast PC, Dual Processor PC.
E. 100,000,000 Passwords/sec
Workstation, or multiple PC’s working together.
F. 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.
Distributed.net’s Project Bovine RC5-64 possibly the fastest computer on earth has recently reached a speed of 76.1 Billion passwords per second!
The reality of the situation is the government or hackers(with access to distributed bot nets) can probably breach a password of 10 characters in a few month’s time.
[...] was only seven alpha/numeric digits. Most security experts recommend a minimum of eight, but more is better. In fact, studies have shown that length is the most important factor in increasing time required [...]