Password Strength

[OBIII]

With all of the concern about ID protection, Steve Gibson of Gibson Research Corp. has come up with a neat way for anyone to check the strength of the passwords that they tend to choose. This is not a password generator, or password cracker, but rather a means to examine the types of passwords that you would normally choose, for everyday use. It gives a better understanding of what it takes to generate a really secure password. Hope it is of use to some of you.


https://www.grc.com/haystack.htm

OB

[Catshooter]

Interesting. My passwords seem to pass the test. Thanks.


Cat

[doc1876]

This is cool, I just tried to have this conversation last night. Now I have "Ammunition"

[RED333]

So you type in your pass words and just give them to a site you dont know?
I dont think so.

[imashooter2]

Do what you want, but Gibson Research is a well known and respected company that has been working in computer and internet security for a long time.

[Cornbread]

Looks like the fastest one would take 3.4 centuries to crack any of mine. I use very strong passwords.

[Blammer]

I just made up a few new ones to try, didn't type any of my "real" one's in. Just in case...

Pretty good ideas.

[bangerjim]

Gee........I guess my luggage code 1-2-3-4 is not as good as I thought!


HA.......ha!

banger

[waksupi]

1.21 centuries for mine. I don't think I'll worry too much!

[Hickory]

This is how mine turned out.




Enter and edit your test passwords in the field above while viewing the analysis below.Brute Force Search Space Analysis:

Search Space Depth (Alphabet):	26+10 = 36
Search Space Length (Characters):	11 characters
Exact Search Space Size (Count): (count of all possible passwords with this alphabet size and up to this password's length)	135,382,323,952,046,196
Search Space Size (as a power of 10):	1.35 x 1017

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario: (Assuming one thousand guesses per second)	43.05 thousand centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second)	2.24 weeks
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second)	22.56 minutes

[OBIII]

So you type in your pass words and just give them to a site you dont know?
I dont think so.

From my original post: "but rather a means to examine the types of passwords that you would normally choose"

I checked mine, but I trust GRC. Say you were thinking of a new password. That is the purpose. If you have easy passwords and choose to stay with the same types, you increase your chances of being compromised. It's only a tool.

OB

[Cornbread]

Do you want strong passwords you can remember? Just type in a sentence you can remember that is 14 characters long or greater, capitalize every nth letter of each word and leave no spaces. Easy for you to remember, just about impossible to crack e.g.
ILoveMyWifeAndKids!

It is 19 characters and would take 1.47 trillion centuries to crack.

or

ILoveMyBlueHouse!

It is 17 characters long and would take 2.03 billion centuries to crack.

Passwords don't have to be hard to remember stuff like 1Blue@lph!6. What you need to know is that the length of the password matters much more than the complexity of its readability to humans. It has to do with the nature of cracking passwords being a problem that falls into a class of problems called NP problems. So every letter you add, makes it exponentially harder to crack. Computers see those characters as zeros and ones, the letter "A" is no harder for a computer to guess that the symbol "@". It makes no difference, data is data to a computer. What really matters is how many permutations it has to try to come up with the right answer. The longer your password, the harder it will be to crack. 14 characters or longer and no system known to man can crack it. So do yourselves a favor, make your passwords phrases that you can remember that are 14 characters or longer. You'll make your life easier and make your passwords impossible to crack.

[462]

One I'm considering: Brute Force Search Space Analysis:

Search Space Depth (Alphabet):	26+33 = 59
Search Space Length (Characters):	29 characters
Exact Search Space Size (Count): (count of all possible passwords with this alphabet size and up to this password's length)	2,302,143,312,315,097, 670,688,384,719,958,037, 783,979,712,069,444,899
Search Space Size (as a power of 10):	2.30 x 1051

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario: (Assuming one thousand guesses per second)	7.32 hundred trillion trillion trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second)	7.32 million trillion trillion centuries
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second)	7.32 thousand trillion trillion centuries

Since Obama has already cracked the current one (.029 seconds) seems like it would be prudent to change.

[dragon813gt]

Of course I had to be childish. Here are the results for password; Iloveboobies4Life.

Search Space Depth (Alphabet):26+26+10 = 62
Search Space Length (Characters):17 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length)3,004,142,822,311,
961,681,685,446,617,322
Search Space Size (as a power of 10):3.00 x 1030
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second)9.55 hundred thousand trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)
9.55 billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
9.55 million centuries


Stringing together three of four random words makes for a very secure password. Just make sure they aren't the names of family members for obvious reasons. I need to change quite a few of mine even though they were generated w/ a program and contain everything possible.

[Catshooter]

Of course one wouldn't put in ones' actual passwords. They are a highly respected and reputable company. So is Microsoft. And who could be more trustworthy than the NSA?

I just typed in passwords of the same style and length as mine.


Cat

[Elkins45]

That's a very interesting website and it makes me think. I had never thought about the difference between length and randomness and how length is more important in a brute force attack.

[dbosman]

This week.
The folks that care keep improving.

Looks like the fastest one would take 3.4 centuries to crack any of mine. I use very strong passwords.

[HollandNut]

interesting

I entered an eight digit password that I used in the past , three letters followed by five digits

with the letters all lower case it's 92.27 years

make one letter upper case and it is 70.56 centuries

[kungfustyle]

Cool stuff.

[fatelk]

I use a lot of passwords at work, for several different systems, and the varying requirements are frustrating. One requires 8 to 12 characters, with at least one capital, one number, and one special character, while another won't allow special characters, etc..

Of course they're all supposed to be different so if one gets hacked they can't get them all, but I know most people either try to make them the same or at least close, or keep them all written down somewhere, defeating the purpose. Then on top of that most of them are required to be changed periodically.