Analysis:
"Strong" isn't a detailed password-rating; go for a quintillions
possible combos, add a symbol.
Security breaches of
mind-numbing size like those at LinkedIn and eHarmony.com set crypto- and security geeks to chattering
about weak passwords and lazy users and the importance of non-alphanumeric
characters to security. And insisting on a particular number of characters in a
password is just pointless security-fetish control freakishness, right? Nope.
The number and type of characters make a big difference. How big? Adding a
symbol eliminates the possibility of a straight dictionary attack (using,
literally, words from a dictionary. Adding a symbol, especially an unusual one,
makes it much harder to crack even using rainbow tables (collections of
alphanumeric combinations, only some of which include symbols). How big a
difference to length and character make?
Look below and pick which password-cracking jobs you'd want to take on
if you were a computer. The examples come from the Interactive
Brute Force Password Search Space Calculator: at GRC.com, the love child of
from former InfoWorld columnist and freeware
contributor Steve Gibson
How long would it take
to crack my password: (Includes letters and numbers, no upper- or lower-case
and no symbols)
Six Characters: 2.25
Billion Possible Combinations
·
Cracking online using
web app hitting a target site with one thousand guesses per second: 3.7 weeks.
·
Cracking offline using
high-powered servers or desktops (one hundred billion guesses/second): 0.0224
seconds
·
Cracking offline, using
massively parallel multiprocessing clusters or grid (one hundred trillion
guesses per second: 0.0000224 seconds
Ten Characters: 3.76
Quadrillion Possible Combinations
·
Cracking online using
web app hitting a target site with one thousand guesses per second: 3.7 weeks.
·
Cracking offline using
high-powered servers or desktops (one hundred billion guesses/second): 10.45
hours
·
Cracking offline, using
massively parallel multiprocessing clusters or grid (one hundred trillion
guesses per second: 37.61 seconds.
Add a symbol, make the
crack several orders of magnitude more difficult:
Six Characters: 7.6
trillion Possible Combinations
·
Cracking online using
web app hitting a target site with one thousand guesses per second: 2.4
centuries.
·
Cracking offline using
high-powered servers or desktops (one hundred billion guesses/second): 1.26
minutes
·
Cracking offline, using
massively parallel multiprocessing clusters or grid (one hundred trillion
guesses per second: 0.0756 seconds
Ten Characters: Possible
Combinations: 171.3 Xextillion (171,269,557,687,901,638,419; 1.71 x 1020)
·
Cracking online using
web app hitting a target site with one thousand guesses per second: 54.46
million centuries.
·
Cracking offline using
high-powered servers or desktops (one hundred billion guesses/second) 54.46
years
·
Cracking offline, using
massively parallel multiprocessing clusters or grid (one hundred trillion
guesses per second: 2.83 weeks.
Take Steve's advice: go
for ten characters, then add a symbol.
No comments:
Post a Comment