This won’t be new but the detail might be sufficiently interesting to make you do something about it.
There’s no need to re-explain the context in detail. In brief: the passwords we use for our on-line accounts need to be strong. A strong password is one that takes more time to crack using “brute force”.
Brute force password cracking
So let’s see how this works. Just imagine a piece of software that keeps guessing a password and machine-gunning variations of it into one of your account log-in forms. Now imagine a systematic guessing machine that repeats this at speed until the account is cracked. The time it takes to do this will depend upon how difficult it is to guess your password. Here are some basic examples of password difficulty and the amount of brute force that is used to crack them:
Password | Time to crack the password - one thousand guesses a second |
---|---|
january | 3.19 months |
January | 33.33 years |
january17 | 33.22 centuries |
january~17 | 7.89 hundred thousand centuries |
January17 | 4.37 thousand centuries |
January~17 | 19.24 million centuries |
Now let’s imagine a massively powerful computer – or series of computers – doing this guesswork so that, instead of taking a thousand guesses a second, they take a hundred trillion guesses a second. This sounds ludicrous, but is worth following:
Password | Time to crack the password | |
---|---|---|
- one thousand guesses a second | - one hundred billion guesses a second | |
january | 3.19 months | 0.0835 seconds |
January | 33.33 years | 10.48 seconds |
january17 | 33.22 centuries | 17.41 minutes |
january~17 | 7.89 hundred thousand centuries | 9.47 months |
January17 | 4.37 thousand centuries | 1.59 days |
January~17 | 19.24 million centuries | 19.24 years |
Now we up the game once more and endow our imaginary hacker with massively fast processing power, this time of a hundred trillion guesses a second. Here goes:
Password | Time to crack the password | ||
---|---|---|---|
- one thousand guesses a second | - one hundred billion guesses a second | - one hundred trillion guesses a second | |
january | 3.19 months | 0.0835 seconds | 0.0000835 seconds |
January | 33.33 years | 10.48 seconds | 0.0105 seconds |
january17 | 33.22 centuries | 17.41 minutes | 1.04 seconds |
january~17 | 7.89 hundred thousand centuries | 9.47 months | 6.89 hours |
January17 | 4.37 thousand centuries | 1.59 days | 2.29 minutes |
January~17 | 19.24 million centuries | 19.24 years | 1 week |
You can see the pattern building up in these tables. A mix of lower case and upper case is better than no mix. A mix of characters and numbers is better than no mix. A symbol character in addition to letters and numbers is better than no symbol characters.
But don’t forget common sense
All of this assumes that your password is not “ABCDEF” or “123456” or “Password”. These – and variations on the theme – will be the first guesses thrown at your login form and will take but milliseconds to detect.
Thanks are due to Steve Gibson for this perspective. You can test your own password’s strength using his “Interactive Brute Force Password Search Space Calculator”. His whole page is well worth reading in detail.
Protecting my clients
And in case you ask what sort of security is built in to the login forms on the websites that I build, the simplest addition is a mechanism that allows me to block more than three failed consecutive logins from the same machine in any hour. There are other security measures which I won’t be discussing publicly, but this one is a good start given everything above.