Passwords, How Long Does It Actually Take To Hack Yours?
According to most studies regardless of how complex it is, a six or less character password is likely to be cracked using automated software cracking tools instantly or nearly instantly. In fact, if you have a 7-character complex (mix of upper case, lower case, numbers, and symbols) password it can be cracked within 31 seconds.
Spicing things up a little by adding one more character, making it 8 characters, slows the cracker tools down considerably, but still not enough as an eight-character complex password would take just under 40 minutes to crack.
This is where adding one more character really pays off. A nine-character, complex password takes around 2 days to crack while a 10-character complex password takes 5 months to crack. An eleven-character complex password takes an astonishing 34 years to crack.
Most schools of thought are saying that 12-16 characters are where you should be and of course, it should include a combination of at least two of each of these (upper case, lower case, numbers, and symbols). As technology increases and Central Processing Units (CPU) and Graphic Processing Units (GPU) get faster, the time it takes to crack a password will get shorter. Currently, I am using anywhere between 16-22 characters for all of my passwords. A 16-character complex password is expected to take 92 billion years to crack. My current password to unlock my personal computer is 22 characters long and complex, and howsecureismypassword.net states would take 252 sextillion years to crack.
For comparison in 2020, it took 1 trillion years to crack my 16-character complex password and it took 8 hours to crack an eight-character complex password whereas today it would take 39 minutes to crack that same password. At that rate of progression, you can expect that an 8-character password would be able to be cracked in the 2023 timeframe in a minute or two.
What Exactly Is “Crack”
When the term Crack is being used, that means to forcibly break the password by brute force. No not with a giant sledgehammer, though smashing things like that is cool. We are talking about using software to just try hash after hash against the hash of the password until a match is found. This method can quickly be thwarted by a simple set of something like “lock the account for 15 minutes after 3 failed attempts”. By making a setting like this (Windows supports it, as do most other operating systems and web Content Management Systems (CMS) like WordPress), you can only get 12 attempts per hour which means that even the 7-character complex password that can be cracked in 31 seconds, would likely take an hour now.
How Does This All Work?
Let me explain how this works so you can get a better understanding of what is going on, in very basic and layman’s terms. In the past few years, there has been a huge push for faster and faster GPUs. The push has been backed by the Crypto Mining world, which uses the GPU to help with the blockchain equations that are involved in Crypto Mining. I know, I know, is not a GPU for displaying complex graphics, and that answer is yes, but because of its ability to work with those complex graphics, it is really good at math equations, and that makes it really good at things like well-cracking passwords.
A GPU usually is measured in Floating Point Operations Per Second (FLOPS). In addition, by design, since a GPU is operating at very high FLOPS rates, it can generate a massive amount of hashes in a second. This means that all the software and CPU/GPU need to do is hash the password it is trying to crack and start comparing the generated hashes against the known hash. Now there is more involved, but I am keeping this on a very high level for this post.
If you really want to nerd out on this, there is a good article by Hive Systems (https://www.hivesystems.io/
Maybe it is time that you change all of your passwords to something a little more secure.