How long of a password do you need to be safe?
Say you start with a typical password of six characters. When
you enter this into your computer's authentication mechanism,
it is hashed and stored in a database. The hash, a
fixed-sized string derived from some arbitrarily long string of
text, is generated by a formula in such a way that it is
extremely unlikely that other texts will produce the same hash
value--unlikely, but not impossible.
Because passwords are not arbitrarily long--they are generally
4 to 12 characters--this reduces the search space should
someone else try to find a matching hash to that of your
password's. In other words, an attacker's password-cracking
program does not need to calculate every possible combination of
six-character passwords. It only needs to find a hash of a
six-character ASCII-printable password that matches the hash
stored in the password file or sniffed off the network.
Because an attacker cannot try to guess passwords at a high
rate through the standard user interface (the time to enter
them is prohibitive, and most systems can be configured to lock
out the user out after consecutive wrong attempts), one may
assume that the attacker will get them either by capturing the
system password file or by sniffing the network segment.
Each character in a password is a byte. Printable ASCII characters are in codes 32 through 126. ASCII codes 0-31 and 127 are unprintable characters, and 128255 are special ALT-characters that are not generally used for passwords. This leaves 95 printable ASCII characters.
If there are 95 possible choices for each of the six password
characters, this makes the password space 95^6 = 735,091,890,625
Modern computers are capable of making more than 10 billion
calculations per second. It has been conjectured that agencies
such as the NSA have password-cracking machines (or several
machines working in parallel) that could hash and check passwords
at a rate of 1 billion per second.
How fast, then, could an attacker check every possible
combination of six-character passwords?
735,091,890,625/1,000,000,000 = about 12 minutes (See table
Mind you, this is the time needed to brute force every
possible combination of passwords. In reality, password
crackers first use dictionary and hybrid attacks before
resorting to brute force. Thus, if your password is weak (i.e.,
easily guessed and not sufficiently random), the time to
crack it will be much shorter.
What if the system forces users to have a seven-character
password? Then it would take an attacker 19 hours to brute force
every possible password. Many Windows networks fall under this
category due to backward compatibility issues. Passwords on
these systems cannot be much stronger than seven characters.
Thus, it can be assumed that every
password sent on a Windows system using LAN Manager can be
cracked within a day.
What if the system enforces eight-character passwords? Then it
would take 77 days to brute force them all. If a system's
standard policy is to require users to change passwords every
90 days, this may not be sufficient.
It looks like nowadays, you need at least a nine-character
password (which is not easily guessed or social engineered) to
be "safe." This is at the upper limit of normal human
memory, according to Miller's magic rule of "seven, plus
or minus two".
Help desk, better get ready for more password reset calls!
Table of password-cracking times*
Time to crack (hrs)
*Assuming 1 billion hash and check operations per second