Go to Mil Incorporated home page. Articles theme image

Password strength: what makes a password strong?

Basically, the password strength depends on the number of possible combinations, which must be tried in order to guess (or crack) the password. For example, the standard 4-digit PIN codes are weak passwords, because there are only 10000 possible combinations. This is not a big problem for ATM machines because the PIN code is useless without the card and most ATM machines block when the password does not match more than 2-3 times. However, in many other cases it is possible to use automated password cracking tools, which can try thousands or even millions passwords per second, so any weak password will be cracked in a matter of seconds or minutes.

The number of possible combinations depends of the symbols, which are used in the password and the password length. See the table bellow for some estimates of the time for cracking of the passwords with different complexity on 4 typical computers. The first computer is a contemporary mid-level PC, which can test 1 million passwords per second. The second is a future computer 10 years from now, which will be able to test 65 million passwords per second. The third computer is contemporary mid-level supercomputer, which can test 1 billion passwords per second and the last is a future supercomputer 10 years from now, which will be able to test 65 billion passwords per second. Please note that these are approximate estimates and the actual password testing speed may be significantly faster or slower for different types of encryption algorithms.

Password type PC Future PC Supercomputer Future supercomputer
4 digits Instantly Instantly Instantly Instantly
6 letters (only uppercase or only lowercase) 5 min 5 sec Instantly Instantly
6 letters (mixed case) 6 hours 5 min 20 sec Instantly
6 letters (mixed case) and digits 16 hours 15 min 57 sec Instantly
8 letters (mixed case), digits and special symbols 23 years 5 months 9 days 3 hours
12 letters (mixed case), digits and special symbols 615 mln. years 9 mln. years 615,000 years 9460 years

NOTE: The numbers above are valid only if the symbols of the password are truly random. If the password symbols are not random, then the cracking times are drastically lower.

Click here to download the free trial version of Mil Shield 9.0
4.34 MB - 5 sec with broadband
Send your comments and suggestions to site@milincorporated.com
Copyright © 2003-2014 Mil Incorporated. All rights reserved.