Password Science - 201, the intermediate view

In Password Science 101, I gave a quick, very beginner introduction about what every person with a password can do to make a difference in security.

This post will be a longer post that talks a little more about the math and how it works, so that you can get a glimpse into the mind of an attacker and what an attacker sees when they want a password.

To understand how all the math works, you need to know that passwords have something called keyspace. This is a mathematical reflection of the possible values for a password. So, let's start simply.

If you have a four digit pin code, you have 10 possible numbers you can use. 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9. You can use up to four numbers. 0000, 1234, 9999, and any combination is allowed. That means there are 10000 possible combinations of numbers that you can try before you are guaranteed to guess the right pin code.

Here's how that math works. 10 numbers, 4 places is a keyspace of 104. This is 10 x 10 x 10 x 10, or 10000.

So, let's look at an 8 character password. There are 26 letters in the English alphabet. That would be 26 letters, 8 places, or 268. A calculator says this is 208,827,064,576 possible combinations if you made an 8 letter password using only lower case letters. That sounds like a lot, right?

A computer dedicated to cracking passwords can make more than 40 Billion guesses per second. That's 40,000,000,000. For that 8 character password, that's about 5 seconds worth of work. Pretty scary, right?

Let's say you use a mixture of uppercase and lowercase letters. That makes it 26 x 2, so 528. That would take about 22 minutes. If we add numbers, 628. That would take about 90 minutes. What if we add symbols, too? 968. That's only about 50 hours. Yikes!

But, all hope is not lost. If all you do is use 12 characters instead of 8, only using lower case letters, that raises the time to break that to more than 27 days.

So, use longer passwords, or passphrases to secure your stuff!

If you would like to read more about how attackers use this math to crack passwords, I touch on it lightly in my next post: Password Science 301

No comments: