|
|
Password strength: what makes a password strong?
Basically, the password strength depends on the number of possible combinations, which must be tried in order to guess (or crack) the password.
For example, the standard 4-digit PIN codes are weak passwords, because there are only 10000 possible combinations. This is not a big problem for ATM machines
because the PIN code is useless without the card and most ATM machines block when the password does not match more than 2-3 times. However, in many other cases
it is possible to use automated password cracking tools, which can try thousands or even millions passwords per second, so any weak
password will be cracked in a matter of seconds or minutes.
The number of possible combinations depends of the symbols, which are used in the password and the password length. See the table bellow for some estimates
of the time for cracking of the passwords with different complexity on 4 typical computers. The first computer is a contemporary mid-level PC, which can test 1 million
passwords per second. The second is a future computer 10 years from now, which will be able to test 65 million passwords per second. The third computer is contemporary
mid-level supercomputer, which can test 1 billion passwords per second and the last is a future supercomputer 10 years from now, which will be able to test 65 billion
passwords per second. Please note that these are approximate estimates and the actual password testing speed may be significantly faster or slower for different types of
encryption algorithms.
4 digits |
Instantly |
Instantly |
Instantly |
Instantly |
6 letters (only uppercase or only lowercase) |
5 min |
5 sec |
Instantly |
Instantly |
6 letters (mixed case) |
6 hours |
5 min |
20 sec |
Instantly |
6 letters (mixed case) and digits |
16 hours |
15 min |
57 sec |
Instantly |
8 letters (mixed case), digits and special symbols |
23 years |
5 months |
9 days |
3 hours |
12 letters (mixed case), digits and special symbols |
615 mln. years |
9 mln. years |
615,000 years |
9460 years |
|
|
NOTE: The numbers above are valid only if the symbols of the password are truly random. If the password symbols are
not random, then the cracking times are drastically lower.
|
|
|
|
|
4.34 MB - 5 sec with broadband
|
|
|
|
|
|
|