Digital Security and Privacy for Human Rights Defenders

Appendix D
How long should my password be?

Let’s see how long it would take a computer program to guess your password. Assuming your password is made up only of lower-case English letters, we will calculate the maximum number of possibilities the password cracker needs to sort through.
Password Length 3 5 7 9
Calculation 26 x 26 x 26 26 x 26 x 26 x 26 x 26 26 x 26 x 26 x 26 x 26 x 26 x 26 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26 x 26
Number of possibilities 17,576 11,881,376 8,031,810,176 54,295,503,678,976

Now, let’s add digits and upper-case letters to our password. This increases the variations of every character to 62 different possibilities.

Password Length 3 5 7 9
Calculation 62 x 62 x 62 62 x 62 x 62 x 62 x 62 62 x 62 x 62 x 62 x 62 x 62 x 62 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62
Number of possibilities 238,328 916,132,832 3,521,614,606,208 13,537,086,546,263,552

As you can see, the probabilities increase dramatically when you add variation into the password characters and when you increase its length. But how quickly can computers break these passwords? We will assume that a computer processes 100,000 password possibilities per second (modern PC). The table below shows password lengths from 3 to 12 characters. The figures at the top - 26, 36, 52, 68, 94 - indicate the number of characters from which the passwords are formed (assuming the English alphabet is used). 26 is the number of lower-case letters, 36 is letters and digits, 52 is mixed-case letters, 68 is single-case letters with digits, symbols and punctuation.117

26 36 52 68
3 0.18 seconds 0.47 seconds 1.41 seconds 3.14 seconds
4 4.57 seconds 16.8 seconds 1.22 minutes 3.56 minutes
5 1.98 minutes 10.1 minutes 1.06 hours 4.04 hours
6 51.5 minutes 6.05 hours 13.7 days 2.26 months
7 22.3 hours 9.07 days 3.91 months 2.13 years
8 24.2 days 10.7 months 17.0 years 1.45 centuries
9 1.72 years 32.2 years 8.82 centuries 9.86 millennia
10 44.8 years 1.16 millennia 45.8 millennia 670 millennia
11 11.6 centuries 41.7 millennia 2,384 millennia 45,582 millennia
12 30.3 millennia 1,503 millennia 123,946 millennia 3,099,562 millennia

Based on these figures, one can assume that even an 8-character random password using small-case letters and digits will be sufficient in complexity. If your main password to-date has been only 5 characters long, it is possible it has already been compromised, or is likely to be compromised, should the need arise.

Note: the above figures apply to random passwords only. Profiling and dictionary attacks are different, because they only work against ‘real word’ passwords.

117
Geodsoft.com ‘Good and bad passwords – how to’