Saturday, 17 August 2013

Password Security how long will a hacker take to crack your passwords


I was sitting today thinking about those password length checkers you see that tell you if your password is weak or strong. So i decided to make one that tells how long a hacker should take to crack it.

https://github.com/IrishAdo/PasswordStrength 

Ok so the way that this works is that it tries to work out how long it would take a hacker to crack a password and show that length rather than weak or strong like most do.  The problem is that according to Moore's Law - Computers should double in speed every 18 months.  So any plugin that you would build would have to take this into account.  Of course I did I added a

The length of time that it might take is based on brute forcing all possible values so you have to work out how many possible values exist for each character.  For example if you have a 6 digit number for a password then for each character there is 10 possible values per digit.  meaning that there are 10^6 possible combinations or in other words 1 million possibilities.

Add a character [a-z] and you can add 26 extra per character bringing the total per character to 36,  Add the 26 Upper case characters [A-Z] and our total now sits at 62.  Add the most common symbols on a keyboard and you can bring that number up an additional 36 characters to 98.  So a six character password that had one of each of these types would be a massive 96^6 or 96*96*96*96*96*96 = 782,757,789,696 or 782.8 trillion possible combinations.

Now your thinking wow that a lot of possibilities that would take ages for a hacker to crack.  Well using the password "aA1!23" which uses all of the possible types.  Well it would take a hacker with a modern PC just less than 12 hours to brute force that password.  A modern PC would be able to brute force 20 million possibilities per second.  In 12 hours thats 864,000,000,000 possible passwords checked.  You need to make your passwords be long enough that we are talking in the millions of years to brute force.

Wait, I mentioned processing 20 million passwords per second.  Well what about in a few years time how many possibilities might a hacker be able to process.  Ok if we assume that 20million per second is correct for 2013, then using Moore's Law we can look back to 1970 and forward to 2031.

Potential number of passwords that can be checked per second.
Date# per second# per hour
1 Jan 19700.04144 per hour
2 Jul 19710.07252 per hour
31 Dec 19720.15540 per hour
1 Jul 19740.301080 per hour
31 Dec 19750.602160 per hour
30 Jun 19771.194284 per hour
30 Dec 19782.388568 per hour
29 Jun 19804.7717,172 per hour
29 Dec 19819.5443,344 per hour
29 Jun 198319.0768.652 per hour
28 Dec 198438.15137,340 per hour
28 Jun 198676.29274,644 per hour
28 Dec 1987152.59549,324 per hour
27 Jun 1989305.181,098,648 per hour
27 Dec 1990610.352.1 Million per hour
26 Jun 19921,220.704.3 Million per hour
26 Dec 19932,441.418.6 Million per hour
26 Jun 19954,882.8117.2 Million per hour
25 Dec 19969,765.6334.4 Million per hour
25 Jun 199819,531.2568.8 Million per hour
25 Dec 199939,062.50137.6 Million per hour
24 Jun 200178,125.00276.2 Million per hour
24 Dec 2002156,250.00552.4 Million per hour
23 Jun 2004312,500.001.1 Billion per hour
23 Dec 2005625,000.002.2 Billion per hour
23 Jun 20071,250,000.004.4 Billion per hour
22 Dec 20082,500,000.008.8 Billion per hour
22 Jun 20105,000,000.0017.6 Billion per hour
22 Dec 201110,000,000.0035.2 Billion per hour
21 Jun 201320,000,000.0070.4 Billion per hour <- when written
21 Dec 201440,000,000.00140 Billion per hour
20 Jun 201680,000,000.00280 Billion per hour
20 Dec 2017160,000,000.00560 Billion per hour
20 Jun 2019320,000,000.001.1 Trillion per hour
19 Dec 2020640,000,000.002.2 Trillion per hour
19 Jun 20221,280,000,000.004.4 Trillion per hour
19 Dec 20232,560,000,000.008.9 Trillion per hour
18 Jun 20255,120,000,000.0017.9 Trillion per hour
18 Dec 202610,240,000,000.0036 Trillion per hour
17 Jun 202820,480,000,000.0072 Trillion per hour
17 Dec 202940,960,000,000.00144 Trillion per hour
17 Jun 203181,920,000,000.00288 Trillion per hour

Now remember the 782.8 trillion possible combinations  in our previous example well of we look at 2019 then we can see that it would only take an hour to crack that password  by 2031 only 10 seconds.  Of course this doesn't take into account other updates to cracking techniques.