Posey's Tips & Tricks

How Important Is Password Complexity?

Brien Posey breaks down exactly how difficult it actually is to crack modern passwords.

• By Brien Posey
• 08/14/2013

UPDATE FROM AUTHOR: As noted by several commenters this post focuses on brute force; I will discuss the rainbow table issue at length in next month's column.

About a month ago, I was walking through an airport and someone walking the opposite direction was talking to their friend about their password. I only heard a few words of their conversation, but the guy said that with today's computing power it would more time than the universe has even existed to crack his password through brute force.

As I thought about the statement later on, I began to wonder about whether the guy really knew what he was talking about or if he was just trying to impress his friend. Theoretically it should be possible to create a password that takes billions of years to crack, but I can only imagine how cumbersome it would likely be to enter such a password. That got me thinking, how difficult is it to crack a standard password?

I remember back in the '90s, everybody seemed to recommend having a password with at least eight characters, at least one number, and at least one symbol. Today each organization has its own password length and complexity requirements, but the recommendations from so long ago are still widely used. While it might have taken an absurd amount of time to crack such a password back then, computing power has increased exponentially, so I honestly wondered if those password guidelines were still viable today.

To put this to the test, I created a simple zip file and I asked my wife to password protect it. I didn't give her any firm guidelines other than to tell her to make it a strong password, but not to go crazy with the password length. In other words, I wanted her to use a password that realistically represented one that might be used in a corporate environment today.

Once she password protected the file, I set out trying to crack the password. First I tried a dictionary-based crack, and when that didn't work, I resorted to brute force.

I have to admit that I underestimated the challenge. I initially attempted the brute force crack on my laptop (while it was running on battery no less). I've got a high end laptop that is designed for gaming, so I thought that the crack would probably be done before we finished dinner. Wrong!

With my laptop battery getting low, I decided to break out the big guns. I had a few servers in my house that I wasn't using for anything at the moment, so I decided to distribute the load across multiple servers, and across multiple CPU cores on each server. All together I had 40 CPU cores running at close to 4 GHz trying to crack my wife's password.

Just to make things interesting, I bumped up the priority of the underlying process to as high of a level as I possibly could. Doing so made the servers non responsive to user input because nearly all of the available CPU resources were being used to crack the password.

Within a few hours all but one of the servers overheated and the automatic shutdown mechanism engaged to prevent hardware damage. Since the remaining server seemed to be operating at a safe temperature, I let it keep running. That one server was using eight CPU cores to try to crack the password and has been averaging 1200 attempts per second, 24 hours a day. The job has been running for over two weeks and the password has not been revealed yet.

Since the password has proven to be so difficult to crack, I decided to do some math and find out how many possible password combinations there really are. Again, I have no idea what password my wife used or how many characters it is, so I started out by looking some standard password requirements.

Suppose for a moment that someone created an eight-character password and used only lowercase letters. Assuming that the cracker knew the password length and that the password only used lower case letters, they would have to try a maximum of 217,180,147,158 password combinations (217.1 billion).  At a rate of 1200 password attempts per second, it could take up to five and a half years to crack the password.

So what if the user also used uppercase passwords? In that case, the number of possible combinations increases to 54,507,958,502,660 (54.5 trillion). At 1200 passwords per second, it could take up to 1440 years to crack the password.

If you also throw digits into the mix then the number of possible combinations for an eight-character password increases to 221,919,451,578,090 (221 trillion). At 1200 attempts per second, it would take nearly 6,000 years to try every possible combination.

So what if we really got crazy and also threw in special symbols? If you were to use every symbol that a computer can generate (including obscure ANSI codes) then there are 669,377,422,333,079,720 (669 quadrillion) possible combinations.  At 1200 password attempts per second, it would take 17,688,182 years to try every password combination. Seventeen million years is far short of the age of the universe, but it's still way too long to wait for a password to be cracked.

Remember that all of these insanely huge numbers were based on a mere eight-character password. So what if we increase the password length to nine characters? As you will recall, when we based the password solely on upper and lower case letters and digits (62 total characters) there were 221,919,451,578,090 passwords and it would take about five and a half years to try every combination at 1200 words per second.  If you increase the length to nine characters then the total combinations explodes to 13,759,005,997,841,642 (13.7 quadrillion). At 1200 password attempts per second, it would take roughly 363,579 years to try every combination. Adding one character to the password length took the time required to crack the password from about 5 years to hundreds of thousands of years.

Of course it is possible to perform more attempts per second. Part of the reason why my server is only able to attempt 1200 passwords per second is because the file is using 256-bit encryption. A weaker form of encryption would result in more attempts per second and a shorter time to crack the password. Similarly, adding additional CPU cores could decrease the time it takes to crack the password. If I were serious about trying to crack the password, I could lease an insane amount of computing power from a cloud provider.

Even so, there is no denying that length and complexity play a critical role in password security. Passwords can be made even more secure by using multi-factor authentication, or even trying out Windows 8's picture password feature.