 Digital Security and Privacy for Human Rights Defenders |
Appendix D
Let’s see how long it would take a computer program to guess your password. Assuming your password is made up only of lower-case English letters, we will calculate the maximum number of possibilities the password cracker needs to sort through.
|
| Password Length | 3 | 5 | 7 | 9 |
| Calculation | 26 x 26 x 26 | 26 x 26 x 26 x 26 x 26 | 26 x 26 x 26 x 26 x 26 x 26 x 26 | 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 |
| Number of possibilities | 17,576 | 11,881,376 | 8,031,810,176 | 54,295,503,678,976 |
Now, let’s add digits and upper-case letters to our password. This increases the variations of every character to 62 different possibilities.
| Password Length | 3 | 5 | 7 | 9 |
| Calculation | 62 x 62 x 62 | 62 x 62 x 62 x 62 x 62 | 62 x 62 x 62 x 62 x 62 x 62 x 62 | 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 |
| Number of possibilities | 238,328 | 916,132,832 | 3,521,614,606,208 | 13,537,086,546,263,552 |
As you can see, the probabilities increase dramatically when you add variation into the password characters and when you increase its length. But how quickly can computers break these passwords? We will assume that a computer processes 100,000 password possibilities per second (modern PC). The table below shows password lengths from 3 to 12 characters. The figures at the top - 26, 36, 52, 68, 94 - indicate the number of characters from which the passwords are formed (assuming the English alphabet is used). 26 is the number of lower-case letters, 36 is letters and digits, 52 is mixed-case letters, 68 is single-case letters with digits, symbols and punctuation.117
| 26 | 36 | 52 | 68 | |
| 3 | 0.18 seconds | 0.47 seconds | 1.41 seconds | 3.14 seconds |
| 4 | 4.57 seconds | 16.8 seconds | 1.22 minutes | 3.56 minutes |
| 5 | 1.98 minutes | 10.1 minutes | 1.06 hours | 4.04 hours |
| 6 | 51.5 minutes | 6.05 hours | 13.7 days | 2.26 months |
| 7 | 22.3 hours | 9.07 days | 3.91 months | 2.13 years |
| 8 | 24.2 days | 10.7 months | 17.0 years | 1.45 centuries |
| 9 | 1.72 years | 32.2 years | 8.82 centuries | 9.86 millennia |
| 10 | 44.8 years | 1.16 millennia | 45.8 millennia | 670 millennia |
| 11 | 11.6 centuries | 41.7 millennia | 2,384 millennia | 45,582 millennia |
| 12 | 30.3 millennia | 1,503 millennia | 123,946 millennia | 3,099,562 millennia |
Based on these figures, one can assume that even an 8-character random password using small-case letters and digits will be sufficient in complexity. If your main password to-date has been only 5 characters long, it is possible it has already been compromised, or is likely to be compromised, should the need arise.
117
Geodsoft.com ‘Good and bad passwords – how to’