This won’t be new but the detail might be sufficiently interesting to make you do something about it.

There’s no need to re-explain the context in detail. In brief: the passwords we use for our on-line accounts need to be strong. A strong password is one that takes more time to crack using “brute force”.

Brute force password cracking

So let’s see how this works. Just imagine a piece of software that keeps guessing a password and machine-gunning variations of it into one of your account log-in forms. Now imagine a systematic guessing machine that repeats this at speed until the account is cracked. The time it takes to do this will depend upon how difficult it is to guess your password. Here are some basic examples of password difficulty and the amount of brute force that is used to crack them:

Time taken to crack different passwords
Password Time to crack the password
- one thousand guesses a second
january 3.19 months
January 33.33 years
january17 33.22 centuries
january~17 7.89 hundred thousand centuries
January17 4.37 thousand centuries
January~17 19.24 million centuries

Now let’s imagine a massively powerful computer – or series of computers – doing this guesswork so that, instead of taking a thousand guesses a second, they take a hundred trillion guesses a second. This sounds ludicrous, but is worth following:

Time taken to crack different passwords: two hypothetical force levels compared
Password Time to crack the password
- one thousand guesses a second - one hundred billion guesses a second
january 3.19 months 0.0835 seconds
January 33.33 years 10.48 seconds
january17 33.22 centuries 17.41 minutes
january~17 7.89 hundred thousand centuries 9.47 months
January17 4.37 thousand centuries 1.59 days
January~17 19.24 million centuries 19.24 years

Now we up the game once more and endow our imaginary hacker with massively fast processing power, this time of a hundred trillion guesses a second. Here goes:

Time taken to crack different passwords: three hypothetical force levels compared
Password Time to crack the password
- one thousand guesses a second - one hundred billion guesses a second - one hundred trillion guesses a second
january 3.19 months 0.0835 seconds 0.0000835 seconds
January 33.33 years 10.48 seconds 0.0105 seconds
january17 33.22 centuries 17.41 minutes 1.04 seconds
january~17 7.89 hundred thousand centuries 9.47 months 6.89 hours
January17 4.37 thousand centuries 1.59 days 2.29 minutes
January~17 19.24 million centuries 19.24 years 1 week

You can see the pattern building up in these tables. A mix of lower case and upper case is better than no mix. A mix of characters and numbers is better than no mix. A symbol character in addition to letters and numbers is better than no symbol characters.

But don’t forget common sense

All of this assumes that your password is not “ABCDEF” or “123456” or “Password”. These – and variations on the theme – will be the first guesses thrown at your login form and will take but milliseconds to detect.

Thanks are due to Steve Gibson for this perspective. You can test your own password’s strength using his “Interactive Brute Force Password Search Space Calculator”. His whole page is well worth reading in detail.

Protecting my clients

And in case you ask what sort of security is built in to the login forms on the websites that I build, the simplest addition is a mechanism that allows me to block more than three failed consecutive logins from the same machine in any hour. There are other security measures which I won’t be discussing publicly, but this one is a good start given everything above.