« Enhanced Erasers | Home | Hedgehog Mittens »

February 5, 2011

Time It Takes a Hacker's Computer to Randomly Guess Your Password


[via Bloomberg BusinessWeek]

February 5, 2011 at 10:01 AM | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Time It Takes a Hacker's Computer to Randomly Guess Your Password:


It would take a long time to crack my PW of ColonToganineteenfourtytwo

Posted by: Anonymous | Feb 10, 2011 5:42:17 AM

To the wifi cracker. Too bad the 30 other wifi networks are all drowning each other out and you cant get a signal 30 feet away. SUCKAH!!!!

Posted by: Greg | Feb 10, 2011 3:14:42 AM

That's not accurate. If you are trying to brute force a login service (such as ssh), it only allows several login attempts per second, so it could take decades. However if you are trying to brute force a file locally (such as a file of Windows password hashes) you can try tens of thousands of passwords per second, which speeds things up significantly. Even if the passwords are identical..

Posted by: Tiera | Feb 10, 2011 1:23:59 AM

Brute forcing is not random or guessing.

Posted by: Mark | Feb 10, 2011 1:22:30 AM

its amazing how many people don't have a good password. thanks for sharing.

Posted by: Kevin | Feb 10, 2011 1:20:59 AM

Srsly...someones never heard of distributing the brute force load over a series of graphics processors like the Nvidia Tesla. With a rig running 4 tesla's or an amazon Cloud setup, your looking at cutting crack times in half, easy

you people think your wifi is safe, put me in 3 kilometers of your AP with my card and a backtrack distro and ill knock you offline before you can bookmark your favorite porn

Posted by: Rusty Shackelford | Feb 9, 2011 5:34:33 PM

I sometimes use a phrase (excluding spaces) that's
meaningful to me using symbols,numerals and
uppercase letters to spell the text. Some password's
are 20+ char's long yet are memorable.

To introduce a pseudo-random component, Sometimes
I even tack on all the numerals on my watch, both time and date,
at the beginning and end of a new password.

Posted by: 12n3M | Feb 9, 2011 1:34:09 PM

I have two points for the commenter called "6.02*10^23"

1) I use a similar system for passwords, and enthusiastically concur with your suggestions. A long-ish compound password can be both easy to remember and difficult to crack.

2) I still find the mole concept one of the most interesting in science. Imagine the excitement of discovering combining weights for chemical reactions! A beautiful series of experiments and deductions that so indirectly, yet so convincingly proves the existence of molecules.

Posted by: Ralph | Feb 9, 2011 10:58:46 AM

you guys are all nerds

Posted by: malkovich | Feb 9, 2011 10:49:16 AM

These times are, in my opinion very inaccurate. An 8 character password with lowercase, uppercase, and numbers took my computer about 1.5 minutes to crack. As John Poulin mentioned, the use of Rainbow Tables and such shorten the time it needs to crack a password considerably. The above table is a bit misleading in my point of view and I thought I'd point it out.

Posted by: white hat | Feb 9, 2011 10:30:38 AM

First of all, this doesn't even mention the processor speed which was used to determine these statistics. On top of that, anyone with a 9 character password (even with nos + symbols) should be worried about rainbow tables, not necessarily brute force.

That being said, a password is intended to be confidential. When we enter our password we assume the application isn't malicious. It is entirely possible for a malicious 'password generator' to feed you a password and simply enter it into a rainbow table, thus entirely defeating the purpose.

There's no tool better than the human mind. Create your own passwords, rotate them, and use only sites you trust.

Posted by: John Poulin | Feb 9, 2011 9:24:03 AM

My Dad told me a long time ago when I was young that....A lock is to keep the honest people out. Good luck if you think a password will keep dishonest people out. I just found out yesterday that my bank card had been cloned and used. Darn

Posted by: What'sYourName? | Feb 9, 2011 8:55:32 AM

did you just make these numbers up, or is there some kind of science behind it?

Posted by: dbcn | Feb 9, 2011 8:54:25 AM

Wow, OK man that makes a lot of sense dude.


Posted by: wemizemi | Feb 9, 2011 8:50:46 AM

Hey Joe, I wanted to share this 'hack time table' with my readers and clicked over to the source you linked so that I could verify it.

However, as interesting as the article was about the government stepping in to possibly eliminate the need for passwords, there was no reference to the hack table you posted.

I'm sure you have a source... could you share it? I just hate posting unsourced/verified information.

Obviously you'll still get the hat tip even though the info was from a third aprty. :-)



Posted by: treppenwitz | Feb 6, 2011 4:06:07 AM

Eh, I let Keepass handle the password I care about.

Posted by: Rocketboy | Feb 5, 2011 4:28:59 PM

I've learned (working on computers) that 90% have mediocre passwords (for everything, banking, log in, memberships, etc).

For those that will never change (I see a big show of hands), at least try the following:

Use one charge card for ALL on-line purchases that post an Email within 24 hours of all your purchases.

Use one bank account on-line with just enough to cover the bills, never keep an large excess in it.

Do it, don't think about it!

Posted by: Joe Peach | Feb 5, 2011 4:17:13 PM

Not my passwords..... See: https://www.grc.com/passwords.htm

I hate banks that require such short passwords - for all others I use at least a 13 character password. My WIFI systems use WPA2 password systems (WEP has been broken and is wholly ineffective) and a 20 character password - something like this: "WknlWd12I?3?>9%q8Ul}DWZZY];7HM_HF!RpGn;*r7g"

How do I remember these? I don't. I use a jump drive (google: "Ironkey") and I rely upon the UNIX keychain + remote backup of my keychain.

I still need to memorize a password to access the password devices.... I use a combination of letters and numbers that have meaning to me and nobody else.

Try something like your 3rd grade teacher's first/last name, the address you lived at in college and your anniversary date - all together (not my master password but similar) and that would be goff1113NEMaplewoodmay21976 a nice, long and unbreakable - but memorable password.

Posted by: 6.02*10^23 | Feb 5, 2011 4:05:24 PM

The comments to this entry are closed.