6,634,204,312,890,625 passwords cracked in 2.5 days
Thought an 8-character password
was strong? Think again!
Posted on: 01 November 2016
By: Paul Colwell, Technical Director
At OGL we take IT security seriously so we have developed a machine that is designed to crack passwords. This machine can guess passwords at an amazing 30 billion combinations per second.
There are 6,634,204,312,890,625 combinations of an 8-character password using the full range of letters, numbers and special characters.
Our hosted desktop default domain policy requires a password to be a minimum of 8 characters. So how long would it take OGL’s machines to crack your password, based on our password cracking machine being able to process 30 billion passwords per second? Well it’s 6,634,204,312,890,625 / 30,000,000,000 = 221,140 seconds or 2.5 days!!
Just by adding 1 character to your password, the cracking time is extended to 8 months, add 2 and it becomes 63 years! This is doing it by brute force, in other words trying every possible combination. The time can be significantly reduced by using dictionary attacks combined with rules that closely resemble the methods people use to choose passwords. Don’t be fooled into thinking that Password1! will take years to crack, dictionary words and combinations of them will be cracked in minutes, not hours.
Passwords such as Pa$$word1, Wolves16 or Birmingham1! will not help… At a rate of 30 billion combinations per second, it doesn’t take long to rattle through the 1 million words in the English dictionary plus common numbers and phrases. The machines word list has 64 million well known words, names, places, phrases and number combinations.
So how do we set a strong password that we can remember?
There are plenty of password managers available on the internet such as Last Pass (I would highly recommend that you invest in this product for all your accounts at home…Amazon, eBay etc) that will generate random passwords such as 25c7NWcFOuwJ (12 characters, so 63 years to brute force) but can you remember this?
According to the traditional advice – which is still good – a strong password should comply with the following:
Minimum 12 characters
You need to choose a password that’s long enough. The longer the password, the better.
Include numbers, symbols, capital letters, and lower-case letters
Use a mix of different types of characters to make the password harder to crack. Don’t just put the numbers and symbols at the end, the password becomes vulnerable to rule-based cracking. We see a lot of passwords ending in 1! just to satisfy this requirement.
Avoid dictionary words or a combination of dictionary words
Stay away from obvious dictionary words and combinations of 2 or 3 dictionary words. Any word on its own is easy to crack. Any combination of a few words, especially if they’re obvious, also leaves you vulnerable. For example, “house” is a poor password, as is “Red house”.
Don’t rely on obvious substitutions
Don’t use common substitutions, for example, “H0use” isn’t strong just because you’ve replaced an o with a 0. That’s too obvious. Obvious substitutions include: e > 3, a > 4, o > 0, b > 6, i or l > 1, and common SMS abbreviations.
Try to mix it up
Although “BigHouse$123” fits many of the requirements, in that it’s 12 characters and includes upper-case letters, lower-case letters, a symbol, and some numbers, it’s fairly obvious as it’s a dictionary phrase where each word is capitalised properly. There’s only a single symbol, all the numbers are at the end, and they’re in an easy order to guess… this password was hacked in 8 mins.
This is how I do mine…
I find it easier to remember a sentence like “The first house I ever lived in was 61 Fake Street. Rent was £400 per month.” You can then turn that into a password by using the first digits of each word, so your password would become TfhIeliw61FS.Rw£4pm. This is a strong password at 21 digits.
If you don’t use the above method, OGL recommends using 4 or 5 truly random unrelated words, mixed case, separated with symbols, something like “PHONE wedding&alien-packard+FLAG”. If you have trouble thinking of random words, then there are generators available, such as https://xkpasswd.net/, try playing with the presets until you find a combination that’s easy for you to remember.
If you wish to check password strengths use the following tool: https://password.kaspersky.com/ produced by our partner Kaspersky Lab.
Please note the information provided on this page is done so in good faith. OGL does not accept any liability should hackers gain access to your data using passwords that comply with the guidance provided.