An article on the BBC recently called for people to use stronger passwords in the wake of more computational power available to hackers. We know that security needs to scale as computers become more powerful because security is ultimately a numbers game. A hacker needs to guess the correct numbers to get to the encrypted data and security is all about the amount of time he will likely need to guess those numbers.
The most elementary form of protection is the password. Security systems do not store the password directly, instead they use a hashing algorithm that converts the password to a hash and it is that hash that gets stored. When you type in a password it is converted to a hash and compared to previously stored hash, if it matches it allows access to the user. If someone were to steal the hash of a password he would still not be able to access the system as he would need to generate a string of code that when hashed would generate the same hash he stole. This is more difficult than it sounds because there are literally billions of combinations and moreover the conversion to a hash is somewhat expensive in terms of processing.
How long does it take to crack a password?
There are many factors to consider starting from the type of attack. If your password is a dictionary word it will be cracked within seconds as the attacker is likely to use a dictionary attack. If you don’t use a word in the dictionary an attacker will be forced to use a brute force attack which is basically trying every combination possible. The time spent here is determined by the strength of your password which depends on how many combinations the password has – variations between lowercase, uppercase letters, numbers and symbols. A modern 4 core computer can guess 100,000,000 passwords per second and below is an estimated timeline of how long it will take to crack the password based on that statistic:
|Only Number||8 characters||Instant|
|Only Number||9 Characters||10 seconds|
|Alphabet all the same case||8 Characters||35 minutes|
|Alphabet mixed case||8 Characters||6 days|
|Alphabet mixed case||9 Characters||322 days|
|Mixed Case and numbers||8 Characters||25 days|
|Mixed Case and Symbols||8 Characters||346 days|
|Mixed Case, numbers and Symbols||8 Characters||2 years|
The table above shows that a password which uses a mix of lower case, upper case and numbers and has the recommended 8 characters will take approximately 25 days to crack! If your data is time sensitive that should be good enough right? Unfortunately the answer is no.
Security is a numbers game and in the last couple of years the numbers have changed drastically. GPUs (Graphical Processor Units) have all become powerhouses; they are basically super computers on a small chip. It was only natural that password cracking, which is an ideal task for this kind of architecture, would exploit this power. Furthermore these GPUs can be connected together and merge their computational power. It is easy although a little expensive to build a computer with 4 GPUs.
How do GPUs change the numbers?
According to a benchmark I found by a developer of one such password-cracking software that utilizes GPU to speed up the process of decryption, using a GeForce 9800GX2 the software is capable of trying 608 million combinations every second – that’s 6x the speed of a quad core CPU. The bad news doesn’t end there however; the Geforce 9800GX2 is a bit old by today’s standards and is rated at approximately 1 TerraFlop.
A modern Graphic card such as the ATI HD5970 is rated at 5.5 TerraFlops which can yield 33x the speed of a modern CPU. Imagine a scenario where 4 of these cards are installed in a computer and you will have a system that is able to theoretically crunch 13,200,000,000 passwords per second. With such a system the time it will take to crack a password will change as follows:
|Only Number||8 characters||Instant|
|Only Number||9 Characters||Instant|
|Alphabet all the same case||8 Characters||15 seconds|
|Alphabet mixed case||8 Characters||1 hour|
|Alphabet mixed case||9 Characters||2 days|
|Mixed Case and numbers||8 Characters||4.5 days|
|Mixed Case and Symbols||8 Characters||2.6 days|
|Mixed Case, numbers and Symbols||8 Characters||5 days|
This kind of performance will currently cost the attacker over $2,800 however with GPUs you can expect that price to half in the next year or two.
The next question is what kind of password do we need in order to retain our comfortable two year cracking time? Luckily adding one more character (thus increasing the length to nine characters for our very strong mixed case, numbers and symbols password) will do the trick, as this setup will take 1.7 years to crack instead of the previous 2.26 years it would take a regular 4 core Computer. If on the other hand you’d rather use an easier to remember mix of lower case and upper case letters and numbers then 10 characters is the minimum length needed to reach the two year mark.
Two years of cracking time is the bare minimum that I would consider secure. Traditionally that would mean a password that is at least eight characters long and consists of mixed cases and numbers; however, in today’s world the current bare minimum is 10 characters for this type of password or nine characters if you also include symbols in the mix. An additional advantage if one uses symbols in passwords is that an attacker might not include them in his first run of brute forcing thus wasting precious time trying to crack a password.
Keep this in mind next time you create a new password or a password policy.