How Long It Takes Hackers To Crack Your Password

Discussion in 'Silicon (v)Alley' started by Superjoint, Feb 8, 2011.

  1. [​IMG]

    BusinessWeek says a six-character password (just letters) can be cracked in just 10 minutes while a nine-character password complete with letters, uppercase, numbers and symbols will take 44,530 years to crack. Take a look at the image to see other comparisons, the first column describes your password, the other columns show you how long the hackers need to hack your password.

    The Problem with Passwords

    They're annoying to remember, insecure, and costly for companies

    Most-used passwords: 123456, password, 12345678, qwerty, abc123
    Time it takes a hacker's computer to randomly guess your password:

    Length: 6 characters
    Lowercase: 10 minutes
    + Uppercase: 10 hours
    + Nos. & Symbols: 18 days
    Length: 7 characters
    Lowercase: 4 hours
    + Uppercase: 23 days
    + Nos. & Symbols: 4 years
    Length: 8 characters
    Lowercase: 4 days
    + Uppercase: 3 years
    + Nos. & Symbols: 463 years
    Length: 9 characters
    Lowercase: 4 months
    + Uppercase: 178 years
    + Nos. & Symbols: 44,530 years

    Average amount it costs a business to field a phone call requesting a password reset: $10
    Proportion of help desk calls that are password-related: 30%

    Users who choose a common word or simple key combination for a password: 50%

    Data: Gartner, Forrester, Duo Security, Imperva, LastBit Software
     
  2. We require 8 characters with at least 3 different character types. People try to bitch and I tell them, "That's not a problem, I have a tool that will generate a random password if you can't come up with one."
     
  3. Problem is, about, um... let me see here... 0% of passwords are actually cracked using the brute-force timings laid out above?

    It's a problem of people being loose-keyboard dipstains, that's the problem. People can't keep their passwords to themselves. Someone might have a 12-character mixed-case-with-symbols gibberish password generated by some generator, but then some "logmeinpaypalebay.com" site comes along and is like OH YOU NEED TO UPDATE YOUR INFORMATION! Grandma just crunches her password in, and suddenly that 96 millenniums gets cut down to 96 seconds. :rolleyes:

    Only password policy I'm all for enforcing is avoiding the use of common passwords (words in general), and short (<5 character) passwords. That's the only sane policy worth enforcing.
     
  4. very true, use a word you made up yourself if you dont want your password to get brute force cracked.
     
  5. My password is a random assortment of many numbers, letters, and symbols.

    They're not cracking it.

    but I still hope I didn't encourage them to try.
     
  6. i don't think that's accurate. i had a runescape account that kept getting hacked last summer. i would make my password entirely random numbers and letters. let me show you one i used g458d7zmgtgx57fy34d8. i would unlock my account and within 3hours i was hacked again after JUST setting a completely random password like that. literally within a few hours of making the password i would get hacked. i only have my account now because i have all my account information and you cant unlock it without all the account info. so the hacker had to wait fro me to unlock it before he could hack it. once i realized he wasn't going to stop i just left my account in lock mode for almost a year. he's fucked off now but it was annoying as a mosquito flying near your ear when your half asleep.
     
  7. I know at work, we made our passwords 13 characters long and must include at least one Number, letter, symbol.


    What you dont realize is that most people give out there password all the time. Here is what happens most of the time.

    “Hello Suzy. My name is Bob and I'm from the IT department. We are currently attempting to install a new security update on your computer, but we can't seem to connect to the user database and extract your user information. Would you mind helping me out and letting me know your password before my boss starts breathing down my neck? It's one of those days, ya' know?”

    9 times out of 10 "Suzy" will give it out.
     
  8. looks like I have to change my password:eek:
     
  9. lol...hackers arent just sitting behind computer screens trying to crack passwords..thats a waste of time


    most common way to gain access to systems? simple..ask

    every successful hacker out there uses social engineering to acheive their goals, whether it be calling a law firm posing as a member of IT support, even an employee in a company


    9 times out of ten, when a secured system is breached its not the failure of hardware and software security...its human error/ignorance
     
  10. You probably had a key logger installed on your machine.
     
  11. nope. i had no keylogger as he would of hacked my other accounts too.
     

  12. Is that your only basis for assuming you didn't have a keylogger? Because the ONLY way that scenario would've been possible, where someone could just "keep hacking your account" repeatedly, after changing your password, is if someone was intercepting your new password whenever you entered it. There is ABSOLUTELY NO WAY any third party could just "guess" random passwords that quickly.

    And I'm glad to see everyone else in this topic agrees: brute-force password cracking is a load of BS. Only a high-profile target is worth the time and effort invested in brute-forcing, and even then it's a long shot with lots of optimizations necessary. No cracker is going to wait a month or more, let alone a year, to crack someone's account. That time would be better spent trying to get them to type their password into a form that'll capture it for them... i.e.: phishing.
     

  13. I would rather them use a Rainbow table then Brute Force. You will get it way faster.
     

  14. That too, and that's the only reason it's important to use a longer, complex password. But that only comes into play on systems with poor security... where passwords are simply MD5'd and stored. Someone can just whack it with a rainbow table and pull up a value that matches that hash, and spoof the password using the generated (retrieved) value. But again, that relies on poor server-side security.

    Admittedly, someone could probably rainbow-table my password (or any other password under 8 characters) in an instant. That's why this topic has kinda prompted me to start playing around with KeePass, a password-management database. I'd always been of the mind that it's really poor practice to keep "all your eggs in one basket", but the simple fact is, it's safe there. If one of your passwords gets compromised, it only affects that one. After I had my Gmail account password cracked and someone spammed my contact list with my account, I freaked out. I used that one password for almost everything "medium security" online. Forums, websites, etc... everything but my financial stuff and server stuff. I didn't know what to do... it took me months to remember my latest password permutation, and even that I don't use on many places for a simple catch-22: it's secure, but what if the server isn't so secure? What if that password gets stolen? Again, big problem.

    Best solution I've considered from all angles is the password store. Generate a random password, have it store it, retrieve it as needed. An Android app also allows the store to be taken around with me whereever I need it as well. There's still the question of "what if I need a password and don't have the store handy?", but... well... it's a hell of a lot more secure than using the same password everywhere. :D
     
  15. Physical access is a danger also.
    Many in the field have a simple program that can be used from a CD or USB drive. A few seconds to load and blank the password for admin access. :cool:
     

Share This Page