

The numbers show why you should choose a complex password. - aarongough

Although I already had a fairly good understanding of why you should choose a complex password when I first sat down and worked out the figures I was quite surprised at the margin between a good password and a bad one, so I thought it was worth sharing. This chart began life as a way to convince my non-techie friends that they should make their email and banking passwords slightly harder to guess than 'monkey'. It's worth noting that in a lot of cases a password taking interface will implement rate-limiting, which can mean that even simple passwords become almost impossible to guess. However we can't assume that this will always be the case and so choosing a proper password retains it's value.<p>Below is a table showing the approximate strengths and cracking times of a variety of simple passwords. Each password is constructed from a 'character
set', each of which is easy to type with a standard US Keyboard. The cracking times are estimated using a baseline rate of 1000 password guesses per second which should be easily achievable using commodity hardware.<p>Note: Any password that uses dictionary words will be guessed <i>even faster</i> than listed below. This is because cracking programs will generally use a list of dictionary words  and try them all before resorting to trying random combinations of characters. Given that there are (including scientific terms) approximately 1 Million words in the English language any password consisting solely of a single, lower-case, english word could be cracked in only <i>16 minutes!</i><p><pre><code>  Character Set				No. of characters in set
  ________________________________________________________________
  Lowercase (L):					26	abcdefghijklmnopqrstuvwxyz
  Upper and Lowercase (UL):			52	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
  Upper, Lower, Numerals (ULN):			62	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
  Upper, Lower, Numerals, Symbols (ULNS): 	94	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789~`!@#$%^&#38;*()_-+={[]}:;"'&#60;,&#62;.?/|\


  Example password strengths:
  ___________________________
  Length: 5	Characters: L		Possible variations:	11881376	Time to crack:	3.3 	     hours	Example: abcde
  Length: 5	Characters: UL		Possible variations:	380204032	Time to crack:	105.6 	     hours	Example: AbCdE
  Length: 5	Characters: ULN		Possible variations:	916132832	Time to crack:	254.5 	     hours	Example: A12cd
  Length: 5	Characters: ULNS	Possible variations:	7339040224	Time to crack:	2,038.6      hours	Example: !A1cd
  Length: 7	Characters: ULN		Possible variations:	3521614606208	Time to crack:	978,226.2    hours	Example: 1AbCdE2
  Length: 7	Characters: ULNS	Possible variations:	64847759419264	Time to crack:	18,013,266.5 hours	Example: !cd1FE_</code></pre>
======
yan
Why do people insist on having short (<12 chars) overly complicated passwords?
The passphrase: "totallysecretpasswordthatyoullneverguess" (or other
similarly-long phrase) serves as a much more secure pass-phrase than the
hodgepodge of non-alphanumeric characters people suggest that good passwords
are and is far easier to remember.

The only impediment to decent pass _phrases_ are services that limit how many
characters your password can be.

~~~
RiderOfGiraffes
Modelling the probability of a single typo in a long but simple password shows
it more likely than in a short but complex password.

Long-but-simple: type 40 characters correctly, each with 99% success
(independently) and you're only 67% likely to get it right.

Short-n-complex: type 10 characters correctly, each with 98% success
(independently) and you're 81% likely to get it right.

Choose your own numbers. People will type long passwords incorrectly.

------
ErrantX
How did you test these?

Are you attacking a "site" (as in spoofing passwords till you get lucky) or
actually cracking known hashes.

Im assuming the latter (because of the length of time). In which case you
could add some straight cracking stats into the mix as well just to emphasis
the point.

For example you can generate a Sha1, 5 character rainbow table (which holds
all the hashed passwords for a particular keyspace) for the lowercase charset
in 13minutes.

And then use it to crack hashes in under 1 second. :)

Upper/Lower 5 chars can be attacked the same way with 40 minuts table
generation and, again, under a second to crack.

~~~
aarongough
The idea is simply to illustrate the sorts of time involved in guessing
someone's password using a brute force attack. If I were attacking hashes then
rainbow tables would definitely be my main worry!

In this case the main worry is websites (email, banking, etc...) that don't
implement rate limiting on their login forms and therefore allow people to
make targeted attacks with fairly simple hardware. Because this is out out of
the user's control it's very worthwhile choosing a difficult password...

