So in honor of my first blog entry I felt I should cover the topic I originally wanted to discuss Computer Security. I’m going to do a really easy topic password protection. There’s several subtopics on this, but I am just going to cover password strength.
Often I discuss password strength with my family, especially those who have recently had their accounts cracked. If a password isn’t difficult it becomes very easy to break with tools like Jack The Ripper. So first the assumption, we are going to assume I can attempt 10000 passwords a second. This might seem outrageous but this is the standard unit of measurement I use when I’m in my computer security classes.
So lets start simple with a pin number: 10 chars (0-9) and a length of 4. ATM pins are generally 4 values. So that means there are 10^4 possibilities or 10,000. Total time to break 1 second
Ok lets make our password a little more advance: 36 chars (0-9, a-z) and a length of 6 characters. For the sake of simplicity we will assume uniform randomness, meaning every character is equally likely (this is almost never true) So this means there are 36^6 = 2176782336 possibilities. Huge number right. Well based on the speed of our crack it would take approximately 2.5 days to break that password. (36^6) / (10000*60*60*24) Not much time for a computer.
OK lets do the same thing as above, but with a length of 8 instead of 6. This actually creates a huge difference. 36^8 = 2.821109907*10^8 possibilities and 9 years to break. Its amazing how much two characters can make. Admittedly that’s not a huge amount of time, if we were to throw in parallelization to the mix.
Next we’ll make our password even more complex instead of 0-9 and a-z we’ll include more possible characters so 0-9, a-z, A-Z, and 10 symbols (!,@,#,$,%,^,(,),*,&) so now we have (10+10+26+26)^8 possibilities. This would take about 2290 years to break. That’s pretty damn respectable.
OK here’s the next problem, no one use uniformly random characters if they pick the password themselves. As in my 8 character password contains a word. Maybe it contains two words. So there are approximately 150k words in the English language (note many cracking dictionaries include none-words/slag/proper-nouns) So now there are 150k*150k. This would take approximately 26 days to break. Wow so even if our password was 15 characters long if it was just two words the password would be really easy to break.
If our password was an 8 character word and a number there would only be (not even)150k words * 10 possibilities which would only take approximately 2.5 minutes break.
So whats the lesson from all of this? Adding a minor amount of complexity can greatly increase your passwords strength. If your password is 8 characters but contains a word you greatly reduce the complexity. The best way to get a password is by using a Password Generator. So there you go everyone, you’ve been warned.