# Calculating Password Complexity

All passwords are first hashed before being stored. A hash is a one way mathematical function that transforms an input into an output. It has the property that the same input will always result in the same output. Modern hashing algorithms are very difficult to break, so one feasible way to discover a password is to perform a brute force attack on the hash.

There are a few factors used to compute how long a given password will take to brute force. To compute the time it will take, you must know the length of the password, the character set used, and how many hashes can be checked every second.

On a modern computer (8 core, 2.8 GHz) using the SHA512 hashing algorithm, it takes about 0.0017 milliseconds to compute a hash. This translates to about 1.7*10^-6 seconds per password, or 588235 passwords per second. Although we will not use the metric in this article, it is important to note that a GPU, or 3D card, can calculate hashes at a speed 50-100 times greater than a computer. For the purposes of this KB article, we will calculate how long given passwords can be cracked using a single modern computer. We also calculate how long they can be cracked using a supercomputer, which is approximately equivalent to a botnet with 100000 computers. Modern supercomputers can be up to 150000 faster than their desktop counterparts and a 100000 computer botnet is feasible; the largest botnet to date is estimated to have 12 million computers. We also assume that on average, the password will be cracked when half of the possible passwords are checked.

To demonstrate the importance of password complexity, let's start with a pincode password such as "123456789". In this case, the character set (0123456789) consists of 10 characters. For a 9 digit password using this character set, there are 10^9 possible password combinations. Therefore, it will take (1.7*10^-6 * 10^9) seconds / 2, or 14.17 minutes, to break this password on average. On a supercomputer or botnet, we divide this by 100000, so it would take 0.0085 seconds to break a password.

If someone uses all lowercase passwords, such as in the password "vacation", then the character set is 26. In this case, there are 26^8 possible combinations of 8 character passwords. So, to break an 8 character password, it will take (1.7*10^-6 * 26^8) seconds / 2, or 2 days. On a supercomputer or botnet, this will take 1.8 seconds.

Now lets assume you use a stronger password with a mix of lowercase and uppercase characters, such as "blUeFisH", then the character set is 52. In this case, there are 52^8 possible combinations of 8 character passwords. So, to break an 8 character password, it will take (1.7*10^-6 * 52^8) seconds / 2, or 1.44 years. Note that on a GPU, this would only take about 5 days. On a supercomputer or botnet, this would take 7.6 minutes.

As you can see, simply using lowercase and uppercase characters is not enough. If we include numbers, such as in the password "r3Dcr0W5", there are 62 characters in the set. To break this password, it will take (1.7*10^-6 * 62^8) seconds / 2, or 5.88 years. Although this is infeasible on a single desktop computer, it would still only take 31 minutes to break on a botnet. Even if you increase this to 10 characters, it can be broken in 83 days on a supercomputer or botnet. If that botnet utilizes the GPU for all computers, it can potentially be broken in less than a day.

If you include symbols, then depending on the symbols used, there are about 80 characters in the set. To break a password such as "%ZBGbv]8", it would take (1.7*10^-6 * 80^8) seconds / 2, or 45.2 years. On a supercomputer or botnet, this will take 4 hours.

So, even if you use a very secure set of characters, your password should be at least 10 characters long. To break a 10 character password that uses letters, numbers, and symbols, such as "%ZBGbv]8g?", it would take (1.7*10^-6 * 80^10) seconds / 2 or 289217 years. This would take about 3 years on a supercomputer or botnet.

The moral of the story is that passwords should be at least 10 characters long and include a mix of numbers, lowercase letters, uppercase letters and symbols.

There are a few factors used to compute how long a given password will take to brute force. To compute the time it will take, you must know the length of the password, the character set used, and how many hashes can be checked every second.

On a modern computer (8 core, 2.8 GHz) using the SHA512 hashing algorithm, it takes about 0.0017 milliseconds to compute a hash. This translates to about 1.7*10^-6 seconds per password, or 588235 passwords per second. Although we will not use the metric in this article, it is important to note that a GPU, or 3D card, can calculate hashes at a speed 50-100 times greater than a computer. For the purposes of this KB article, we will calculate how long given passwords can be cracked using a single modern computer. We also calculate how long they can be cracked using a supercomputer, which is approximately equivalent to a botnet with 100000 computers. Modern supercomputers can be up to 150000 faster than their desktop counterparts and a 100000 computer botnet is feasible; the largest botnet to date is estimated to have 12 million computers. We also assume that on average, the password will be cracked when half of the possible passwords are checked.

To demonstrate the importance of password complexity, let's start with a pincode password such as "123456789". In this case, the character set (0123456789) consists of 10 characters. For a 9 digit password using this character set, there are 10^9 possible password combinations. Therefore, it will take (1.7*10^-6 * 10^9) seconds / 2, or 14.17 minutes, to break this password on average. On a supercomputer or botnet, we divide this by 100000, so it would take 0.0085 seconds to break a password.

If someone uses all lowercase passwords, such as in the password "vacation", then the character set is 26. In this case, there are 26^8 possible combinations of 8 character passwords. So, to break an 8 character password, it will take (1.7*10^-6 * 26^8) seconds / 2, or 2 days. On a supercomputer or botnet, this will take 1.8 seconds.

Now lets assume you use a stronger password with a mix of lowercase and uppercase characters, such as "blUeFisH", then the character set is 52. In this case, there are 52^8 possible combinations of 8 character passwords. So, to break an 8 character password, it will take (1.7*10^-6 * 52^8) seconds / 2, or 1.44 years. Note that on a GPU, this would only take about 5 days. On a supercomputer or botnet, this would take 7.6 minutes.

As you can see, simply using lowercase and uppercase characters is not enough. If we include numbers, such as in the password "r3Dcr0W5", there are 62 characters in the set. To break this password, it will take (1.7*10^-6 * 62^8) seconds / 2, or 5.88 years. Although this is infeasible on a single desktop computer, it would still only take 31 minutes to break on a botnet. Even if you increase this to 10 characters, it can be broken in 83 days on a supercomputer or botnet. If that botnet utilizes the GPU for all computers, it can potentially be broken in less than a day.

If you include symbols, then depending on the symbols used, there are about 80 characters in the set. To break a password such as "%ZBGbv]8", it would take (1.7*10^-6 * 80^8) seconds / 2, or 45.2 years. On a supercomputer or botnet, this will take 4 hours.

So, even if you use a very secure set of characters, your password should be at least 10 characters long. To break a 10 character password that uses letters, numbers, and symbols, such as "%ZBGbv]8g?", it would take (1.7*10^-6 * 80^10) seconds / 2 or 289217 years. This would take about 3 years on a supercomputer or botnet.

The moral of the story is that passwords should be at least 10 characters long and include a mix of numbers, lowercase letters, uppercase letters and symbols.

Article ID: 278, Created On: 8/7/2012, Modified: 3/27/2013

## Feedback (0)