
Appendix D
How long should my password be?
Let’s see how long it would take a computer program to guess your password. Assuming your password is made up only of lowercase English letters, we will calculate the maximum number of possibilities the password cracker needs to sort through.
Password Length  3  5  7  9 

Calculation 
26 x 26 x 26 
26 x 26 x 26 x 26 x 26 
26 x 26 x 26 x 26 x 26 x 26 x 26 
26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 
Number of possibilities 
17,576 
11,881,376 
8,031,810,176 
54,295,503,678,976 
Now, let’s add digits and uppercase letters to our password. This increases the variations of every character to 62 different possibilities.
Password Length  3  5  7  9 

Calculation 
62 x 62 x 62 
62 x 62 x 62 x 62 x 62 
62 x 62 x 62 x 62 x 62 x 62 x 62 
62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 
Number of possibilities 
238,328 
916,132,832 
3,521,614,606,208 
13,537,086,546,263,552 
As you can see, the probabilities increase dramatically when you add variation into the password characters and when you increase its length. But how quickly can computers break these passwords? We will assume that a computer processes 100,000 password possibilities per second (modern PC). The table below shows password lengths from 3 to 12 characters. The figures at the top  26, 36, 52, 68, 94  indicate the number of characters from which the passwords are formed (assuming the English alphabet is used). 26 is the number of lowercase letters, 36 is letters and digits, 52 is mixedcase letters, 68 is singlecase letters with digits, symbols and punctuation.^{117}
 26  36  52  68 
3  0.18 seconds  0.47 seconds  1.41 seconds  3.14 seconds 
4  4.57 seconds  16.8 seconds  1.22 minutes  3.56 minutes 
5  1.98 minutes  10.1 minutes  1.06 hours  4.04 hours 
6  51.5 minutes  6.05 hours  13.7 days  2.26 months 
7  22.3 hours  9.07 days  3.91 months  2.13 years 
8  24.2 days  10.7 months  17.0 years  1.45 centuries 
9  1.72 years  32.2 years  8.82 centuries  9.86 millennia 
10  44.8 years  1.16 millennia  45.8 millennia  670 millennia 
11  11.6 centuries  41.7 millennia  2,384 millennia  45,582 millennia 
12  30.3 millennia  1,503 millennia  123,946 millennia  3,099,562 millennia 
Based on these figures, one can assume that even an 8character random password using smallcase letters and digits will be sufficient in complexity. If your main password todate has been only 5 characters long, it is possible it has already been compromised, or is likely to be compromised, should the need arise.
Note: the above figures apply to random passwords only. Profiling and dictionary attacks are different, because they only work against ‘real word’ passwords.
