How to create a very strong password
An article on the BBC recently called for people to use stronger passwords in the wake of more computational power available to hackers. We know that security needs to scale as computers become more powerful because security is ultimately a numbers game. A hacker needs to guess the correct numbers to get to the encrypted data and security is all about the amount of time he will likely need to guess those numbers.
The most elementary form of protection is the password. Security systems do not store the password directly, instead they use a hashing algorithm that converts the password to a hash and it is that hash that gets stored. When you type in a password it is converted to a hash and compared to previously stored hash, if it matches it allows access to the user. If someone were to steal the hash of a password he would still not be able to access the system as he would need to generate a string of code that when hashed would generate the same hash he stole. This is more difficult than it sounds because there are literally billions of combinations and moreover the conversion to a hash is somewhat expensive in terms of processing.
How long does it take to crack a password?
There are many factors to consider starting from the type of attack. If your password is a dictionary word it will be cracked within seconds as the attacker is likely to use a dictionary attack. If you don’t use a word in the dictionary an attacker will be forced to use a brute force attack which is basically trying every combination possible. The time spent here is determined by the strength of your password which depends on how many combinations the password has – variations between lowercase, uppercase letters, numbers and symbols. A modern 4 core computer can guess 100,000,000 passwords per second and below is an estimated timeline of how long it will take to crack the password based on that statistic:
| Password Type | Length | Time |
| Only Number | 8 characters | Instant |
| Only Number | 9 Characters | 10 seconds |
| Alphabet all the same case | 8 Characters | 35 minutes |
| Alphabet mixed case | 8 Characters | 6 days |
| Alphabet mixed case | 9 Characters | 322 days |
| Mixed Case and numbers | 8 Characters | 25 days |
| Mixed Case and Symbols | 8 Characters | 346 days |
| Mixed Case, numbers and Symbols | 8 Characters | 2 years |
The table above shows that a password which uses a mix of lower case, upper case and numbers and has the recommended 8 characters will take approximately 25 days to crack! If your data is time sensitive that should be good enough right? Unfortunately the answer is no.
Security is a numbers game and in the last couple of years the numbers have changed drastically. GPUs (Graphical Processor Units) have all become powerhouses; they are basically super computers on a small chip. It was only natural that password cracking, which is an ideal task for this kind of architecture, would exploit this power. Furthermore these GPUs can be connected together and merge their computational power. It is easy although a little expensive to build a computer with 4 GPUs.
How do GPUs change the numbers?
According to a benchmark I found by a developer of one such password-cracking software that utilizes GPU to speed up the process of decryption, using a GeForce 9800GX2 the software is capable of trying 608 million combinations every second – that’s 6x the speed of a quad core CPU. The bad news doesn’t end there however; the Geforce 9800GX2 is a bit old by today’s standards and is rated at approximately 1 TerraFlop.
A modern Graphic card such as the ATI HD5970 is rated at 5.5 TerraFlops which can yield 33x the speed of a modern CPU. Imagine a scenario where 4 of these cards are installed in a computer and you will have a system that is able to theoretically crunch 13,200,000,000 passwords per second. With such a system the time it will take to crack a password will change as follows:
| Password Type | Length | Time |
| Only Number | 8 characters | Instant |
| Only Number | 9 Characters | Instant |
| Alphabet all the same case | 8 Characters | 15 seconds |
| Alphabet mixed case | 8 Characters | 1 hour |
| Alphabet mixed case | 9 Characters | 2 days |
| Mixed Case and numbers | 8 Characters | 4.5 days |
| Mixed Case and Symbols | 8 Characters | 2.6 days |
| Mixed Case, numbers and Symbols | 8 Characters | 5 days |
This kind of performance will currently cost the attacker over $2,800 however with GPUs you can expect that price to half in the next year or two.
The next question is what kind of password do we need in order to retain our comfortable two year cracking time? Luckily adding one more character (thus increasing the length to nine characters for our very strong mixed case, numbers and symbols password) will do the trick, as this setup will take 1.7 years to crack instead of the previous 2.26 years it would take a regular 4 core Computer. If on the other hand you’d rather use an easier to remember mix of lower case and upper case letters and numbers then 10 characters is the minimum length needed to reach the two year mark.
Two years of cracking time is the bare minimum that I would consider secure. Traditionally that would mean a password that is at least eight characters long and consists of mixed cases and numbers; however, in today’s world the current bare minimum is 10 characters for this type of password or nine characters if you also include symbols in the mix. An additional advantage if one uses symbols in passwords is that an attacker might not include them in his first run of brute forcing thus wasting precious time trying to crack a password.
Keep this in mind next time you create a new password or a password policy.
Nice post and really interesting! Thanks for sharing
I believe implementing a server side maximum login attempts drastically decreases attackers success rate.
I think this article reflects an emerging attitude of more organizations toward password security practices. Eight or nine alpha numeric characters is becoming more common. I have seen some organizations utilizing symbols, but not all. I wish the article would have stated what length of password was needed to accomplish the “two year cracking time” in the “How do GPUs change the numbers?” example.
The impact of using GPU’s for underhanded tasks such as password-cracking is frightful. I don’t think it’s very bothersome at all for one to use 9+ mixed characters for added assurance. I’ve seen too many users use something as silly as “pizza”.
Note: (I think the time calculation for “Mixed Case and Numbers” under the GPU section might need to be in hours, not days.)
informative and useful
You should also note! Even if the server side has max logon attempts, the administrator account will not be disabled with bad login attempts.
The physical access is probably most important to your PC/Servers. If the HASH can be stolen off of the computer, it does not matter on how many attempts you try, it is a brute force against the hash and here is where the account can be guessed.
Additionally, changing the administrator account on your machine also is not always secure. Once again, physical access can reveal that the SID for the administrator account ALWAYS ends in 500. This is another MS flaw.
Down under
Great post! I have always used a mix of mixed case letters and numbers for my passwords but I never thought of using symbols before. That’s an excellent idea.
Richard, it’s funny you should mention disabling after so many bad login attempts. I was just thinking about how uneasy I feel about the fact one of the two banks I use lets you make unlimited login attempts. They don’t lock the account after a certain amount of failed logins. My other bank on the other hand locks you out after the second failed attempt. Think one could learn something from the other?
@Shane:
The article does state what password combination you need to use to get a 2 year cracking time, but perhaps it’s not very clear. Basically using mixed case and numbers you need 10 characters for a GPU setup based on the article specs to go through all the combinations in 2 years. If you also add symbols to the mix 9 characters will suffice. Bear in mind that all number are approximations of how long a system would need to get to try all the combinations. In real life it depends on how many guesses the cracking programs will take before reaching the correct combination.
@Michael G:
The most frightening part of using GPU is that it can easily scale. How much money you put in it is what determines how long it will take to crack a password. Double the amount of GPUs and you half the time needed to go though all the combinations; thus the times above are only a baseline indication of how long it will take.
I have to agree with Richard, remote login attempts will propel the time needed to try a password by a lot! Basically all the advantages of using GPUs will be lost as the time required to establish the connection and try the password will be a lot more than the time required to try and guess the password or even generate the password combination. The only danger GPUs pose to passwords in this context is if someone has access to the hash itself so protecting that is paramount!
Emmanuel, great post. It really shows the importance of taking the time to figure out a strong password for yourself. I had a client just yesterday who had her Joomla website hacked. When I asked her for her user and pw so that I could login and check it out she gave me admin, password. I thought, “Wow, no wonder you were hacked”. I am going to send this to her and will also be posting it on my site as this was very well done. Thanks.
A lot of website and software applications that require passwords now run algorithms to determine just how strong your password is (usually ranking it from weak to very strong). However, some are far more reliable than others. Some applications simply count the number of characters in the password. Others go as far as checking that back to the number of discernable dictionary words plus non alphabet text. The more random, of course, the better.
Incredibly interesting stuff! I could have guessed that the average four core computers could crack a fair share of passwords, but to be able to churn out over a hundred million passwords per SECOND? I think I’ve to start rethinking my passwords. So much for slacking off and naming everything after my pets, my family and my ex-girlfriends. If ever I get hacked, I probably deserve it. *knocks on wood*
And to think that the kind of hardware that was used to run these kinds of tests are pretty dated. Though they are by no means obsolete; code breakers, hackers and internet vandals definitely pack a lot more punch than the mid range gear outlined in this article. It’s curious to see what kind of results we’d be seeing using i7/GTX type specs; stuff that’s more than affordable in today’s market.
@Jonathan – The biggest problem with using names is not that the password is not that complex but that it’s easily guessable by anyone who knows you. Risk changes depending on the attacker obviously. I imagine you use names cause you find them easy to remember and there is no need to throw that away; feel free to use names, just change them a bit to make them both stronger and impossible to guess. This can be done by substituting a particular letter with a symbol and add a couple of numbers. For example assuming you’re using a fruit’s name as password, say: Apple, this could in turn be changed to 12App|e24 and all you need to remember is that l is substituted with | (you can do that always) and if say 24 is your favorite number you put it at the end and 1/2 of it at the beginning. That would still be easy to remember but it’s a lot stronger than before.
@Richard – So far in terms of computing power the situation on the graphic card front didn’t change. The ATI HD5970 is still the card with the highest rated float point operations per second. The fastest I7, the 980 is rated at 107 Gflops
@jonathan
I don’t think having your passwords named after personal items is a very safe (or smart) practice of security. I think it’s already been mentioned that individuals who know you personally will be able to guess your passwords straight of the bat, but strong decryption algorithms are designed to be able to “auto-complete” trillions of possible words and key phrases that could turn out to be your password. The more random your password, the better.
I know of certain individuals who have completely reduced the memory of their own passwords to actual muscle memory. Offhand, they can only readily recall the very first character of their password, and trace the rest through a strange remembrance of movements and actions. They’ve admitted that without a keyboard in front of them, they wouldn’t be able to easily spell out their own password, which is as secure a password as you can get I can believe.
Science-fiction blog i09.com recently posted a security concern regarding its mother company Gawkermedia.com. Apparently, non-latin based characters were being registered as interchangeable with each other. Because of this non-English based passwords could actually be accessed by simply typing any order of non-English based characters. Although Gawkermedia is looking into the security concern now, it has urged all its registered users with non-English based passwords to change them immediately.
So much for using completely random characters.