Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here

                  

 

How Long Would Your Password Take To Crack?

If you saw the recent press coverage about the hackers who managed to breach Sony's systems, you'll know that they managed to discover millions of users' passwords which were stored in the systems' databases in an unencrypted form.

Most reputable systems, including Windows itself, store your password in an encrypted form, and there's no way to reverse that encryption to discover the original password.  The only option is to simply try every possible combination, in what's known as a brute force attack.

Trouble is, computers are very good at doing brute force attacks, and a decently powerful desktop computer can try tens of millions of combinations every second.  Ironically, the biggest improvement to password-cracking software in recent years has come about because of the availability of hugely powerful graphics cards.  With the right software, the chips that normally render 35 fps of Grand Theft Auto 9 can now crack passwords instead. 

So now you know why security experts always tell you to choose a long, complicated password, which preferably contains numbers and punctuation characters rather than just letters.  Because a password which consists of a combination of entries from a 26-character repertoire (a-z) is much easier to crack than if the range of characters is 52 (a-z and A-Z) or 62 (including digits too).

If you've ever wondered just how secure your favourite password is, here's a simple web site that will tell you.  Just go to www.howsecureismypassword.net and start typing.  As you type, the indicator is updated after every character to tell you, approximately, how long a desktop PC would typically take to crack it.

Are you worried yet?

 

 

 

 

Share this
4.078945
Average: 4.1 (38 votes)
Your rating: None

Comments

by smsvvarez on 16. February 2013 - 4:10  (105456)

141 quadrillion nonagintillion years or with one more charachter ... Infinty! I win...

by draco africanas on 7. February 2013 - 0:21  (105159)

12 duodecillion years! i win...

by Daiah (not verified) on 30. August 2012 - 16:32  (98521)

48 quintillion years! YES!!! I win.

by J_L on 27. September 2011 - 23:34  (80458)

After improving my LastPass password, it's changed from 273 quadrillion years to 1 nonillion years.

The secret? 133t speak, and 2 extra symbols. Yes, I remember it.

by PChammer (not verified) on 10. August 2011 - 1:46  (77341)

How Long Would Your Password Take To Crack?

Takes me about 2 seconds....I know my password ;0)

Changing passwords along with strong passwords are the best way to keep a passworded spot, secure as possible. Example, email account passwords, change them, I do every month or so. I have a hidden black book with all my written passwords, as stated, with all the passwords out there, you have to write them down.

by Anonymous Security Analyst (not verified) on 8. August 2011 - 17:00  (77204)

The estimate that the site gives for the time to crack in untrue in practical situations, and gives a false sense of security. I just completed a password audit of my company and tried a couple of real life examples for comparison.

One that I cracked in 2 hrs supposedly would take 3 days. One that took me 13 hours would supposedly take 928 years. Obviously a huge difference between what the site claims and reality.

The *worst* piece of advice I keep seeing is to not write your password down. That was true when all you needed was 1 six character password. For the complexity required nowadays, and the large variety of places requiring passwords, you need to write them down. The key is write them down *securely*. Keep them as secure as you would your credit card information.

by AnonymousRandy (not verified) on 19. November 2012 - 20:03  (102579)

I thought the numbers were a little high. But I didn't do a comparison like you did. What were you using to perform the brute force, server, laptop, etc? The numbers given are for a desktop computer. Wondering if that changed your results.

by Dim Wit (not verified) on 7. August 2011 - 19:40  (77099)

But now that I've given them my password, is it still secure?

by AnonymousUser1 (not verified) on 7. August 2011 - 2:59  (77060)

Well apparently my password is at 4 undecillion years. I suppose I'm safe then! :)

by tonickojo on 4. August 2011 - 2:59  (76861)

Well that was fun. The password test said it would take 53 Quintillion years to crack my password.If this test is accurate no human would be able to crack my password ,however if a person could i hope we can become friends.

by Zim (not verified) on 3. August 2011 - 22:43  (76852)

My password = 127 trillion years!

by BillBrad (not verified) on 3. August 2011 - 17:07  (76843)

Checking passwords on that site, I got these results:

Mary had a little lamb - 7 sextillion years
Add a space at the end - 372 sextillion years

Et tu Brute - 952 years
Add a space at the end - 49 thousand years

We hold these truths - 2 quintillion years
Add a space at the end - 137 quintillion years

My comment:
Who needs to remember a complicated password with abstruse symbols? This website demonstrates that you can have an easy-to-remember password which is, at the same time, super-secure.

by tweetiepooh on 3. August 2011 - 9:10  (76811)

Just a few observations on some comments

1)Most password systems use various forms of hashing so characters are not encrypted the same each time e.g. E does not always give P.

2)Banking and other "very" secure systems often ask for specific characters from password(s) changing each time. That could be fun for a 22 character generated password of letters, numbers and symbols.

3)Enforced password changes can weaken security as people then write down passwords, use simple passwords, use simple pattern variations or suffixes. It's probably better to enforce a really secure password and let users keep it for much longer.

4)Protect the perimeter. If the hacker can't actually access the system it doesn't matter if the login credentials are known. So your external facing security can be made tight, RSA tokens, armed guards, hungry alligators, and then have looser controls inside.

by athome on 3. August 2011 - 2:01  (76801)

Typing in the password 'monicalewinsky' [without quotation marks] gave the answer 'It would take about 212 thousand years for a desktop PC to crack your password' -:)

by Anonymous CISSP (not verified) on 2. August 2011 - 7:50  (76746)

Passwords are the least secure form of authentication possible for any number of reasons so why spin your wheels worrying about it, if a malicious user has access to the password file the game is over anyway. It's more likely you'll get infected by a rootkit and have a keylogger installed then having a password file stollen.

As far as your password, it's simple. Use an 8 non-dictionary collection of charactors, upper/lower, 1 special charactor, 1 number and move on. That might get you 2 weeks but in 2 hours they would already have 1000's of other passwords from people who used a dictionary word. You're in the clear. In two weeks the breach will be all over the news and you can change your password then.

It's like the old saying, "I don't have to out run the bear, I only have to out run you!"

And those who are paranoid about testing a password on the site... oh brother.

by Jazzy on 2. August 2011 - 5:16  (76738)

A method I use for creating secure passwords is to think of a word or characters, then make it tougher by using the keys immediately to the left, right above or below of the keys when typing: e.g. say gizmo1 was my word. Create a tougher password by using the keys immediately to the right of each of the letters g i z m o 1 i.e. hox,p2

by Kagne (not verified) on 2. August 2011 - 6:19  (76739)

gizmo1 - 8 seconds
hox,p2 - 55 seconds

by Jazzy on 3. August 2011 - 23:37  (76857)

There you go - the 2nd is more secure than the 1st. Obviously, neither is particularly good, but not the point I was making. My current password = about 1 million years.

by Devo (not verified) on 2. August 2011 - 4:40  (76733)

See https://www.grc.com/haystack.htm

for a great way to make simple to remember but hard to crack passwords

Also links to a podcast explaining the system

Enjoy!

by Anonymouse (not verified) on 2. August 2011 - 1:52  (76723)

use finger print reader?

by AR18 (not verified) on 2. August 2011 - 0:26  (76719)

From a security point-of-view, you can never be too paranoid, and this site is a whopper. If I were a criminal, the first thing I would do is set up a site like this and collect as many passwords as I could and turn it into a rainbow table. I would then sell it to the highest bidder on the black market.

Never ever give out any of your passwords, even as a "test".

by jeep16 (not verified) on 1. August 2011 - 19:01  (76706)

Just FYI - my web filter blocks this site as malware.

by Oxa on 1. August 2011 - 14:13  (76694)

Can someone explain to me why I need a secure password for most websites? What harm can be done if someone obtains my password to Gizmo's website, for example, or to various software forums? (This, of course, does not apply to banking and commercial sites.)

by tonickojo on 4. August 2011 - 23:41  (76935)

That's the way i look at it with all the things going on in the world today my last concern is my password to men's heath magazine getting hacked. And as far as my online banking,my credit union ensures there members that in the unlikely event this should happen there money is still insured.

by erithanis (not verified) on 30. March 2012 - 7:00  (91412)

I agree and have a specific password I use for all sites I don't care about.

One important point to note is that I always start with a throw-away password and then use the "forgot password" tool at least once. I am often surprised how often a plain text version of my password is sent to me by email. DO NOT use a password that is linked to an important account (banking, email, etc) if this happens. Your passwords are being stored without one-way encryption by that website and WILL be attempted on any other account a malicious cracker can link to you.

by Morten Grosboel (not verified) on 1. August 2011 - 13:28  (76692)

How secure is it to test your password on an unknown site ???

by Pattern-chaser (not verified) on 1. August 2011 - 12:00  (76688)

It claims that a 6-digit integer password would take less than a millisecond to crack, but "passw0rd" would take 3 hours! Is it assuming that the cracker would know the length and content (numbers, lower- and upper-case letters, other characters...) of a password before it began?

Not impressed.

by Poru (not verified) on 31. July 2011 - 21:38  (76636)

The quantum computer (which is a'comin', folks!) will make brute force a cake-walk, as well as any encryption based on prime factoring.

by Danny (not verified) on 4. August 2011 - 14:27  (76905)

Except that quantum computers can't do what you claim it does. At best they can halve the time it takes to crack passwords, so if your password takes 2 million years to crack via traditional PCs, 1 million years with quantum computers is still way beyond practical. And the same goes for prime factorization or other one way functions. Don't believe the hype, learn the nitty gritty of crypto instead.

by Chris Wright (not verified) on 30. July 2011 - 16:18  (76546)

The tool above just provides a *rough* indication of how long a single desktop PC would take to crack your password. In reality, the bad guys don't use a single PC to hack your password.

Consider a botnet consisting of a few tens of thousands of infected machines (PC's / Mac's / Web servers / etc etc). One particular application available for use by scriptkiddies simply uses 10's of 1000's of PC's in a distributed dictionary attack, or they can use a combination of that along with a pseudo-random generator. One current botnet based in the UK is currently estimated to contain over 100,000 infected PC's. That is an awful lot of computing power...

During July 2011, the number of active botnets has increased up to in excess of 6000 (known).

In 2009, the BredoLab botnet consisted of some 30,000,000 (yes, 30 million) infected machines. Setting those to hack into accounts is as simple as pressing a single button.

So back to passwords, below are some guidelines I printed on one of my websites for our members to use when setting passwords.
One of the examples it suggests is "DYKtwTSJ" which on it's own, on a single desktop would take just 2 days to crack, but it also suggests you use symbols and numbers. Just adding those takes it to over 4 million years.

Some of the guidelines below might seem overkill, but then it's just common sense to which ones you should use and to what depth.
Another problem these days which is often more of a problem is the use of trojans/malware, cross-site scripting combined with social media (i.e. click on this picture to see Queen Jobbywotsits boobies) or "Amazing, install this app and see who is visiting your profile, you'll be amazed").

At the end of the day, if you use a strong password and you use good online practices, the chances of being hacked are pretty small, but then all it takes is the bad guy to put a gun to your head and say "hand over your password" and it wouldn't matter how complicated a sequence you used. Luckily the chances of both of those happening are pretty small (unless your next door neighbour is part of the Mafia)

Hints and Tips. (note I said Hints, don't take them as gospel).

DO pick a password you will remember
DO change your password regularly
DO use a mix of uppercase and lowercase characters.
DO use punctuation marks and special characters such as #, $, %.
DO choose a line or two from a song or poem and use the first letter of each word, preceded or followed by a digit. (e.g “Do you know the way to San Jose?” becomes the password DYKtwTSJ?).
DO use a password that you can type quickly without having to look at your keyboard. This makes it harder for someone to notice your password if they happen to be watching over your shoulder.
DO use a password with 8 or more characters. More is better.
DO create different passwords for different accounts and applications.

DON’T write your password down.
DON’T make obvious choices like your last name, first name, nickname, birth date, spouse name, pet name, make/model of car, or favourite expression.
DON’T choose your username as your password.
DON’T share your password with anyone. Once it is out of your control, so is your security.
DON’T use a word contained in English or foreign language dictionaries, spelling lists or commonly digitised texts such as the Bible or an encyclopedia.
DON’T use an alphabet sequence (lmnopqrst), a number sequence (12345678) or a keyboard sequence (qwertyuop).
DON’T use a password shorter than six (6) characters.
DON’T use a word spelled backwards.
DON’T use a password of all digits, or all the same letter.
DON’T use the same password for more than one system or web site.
DON’T Use numbers in place of letters. For example, “Password” becomes “Pa55w0rd.” Dictionary programs are also equipped to combat this technique.
DON’T Use dates to create a password (for example, AUguST2001).
DON’T Re-use any of your last 10 passwords.
DON’T Provide your password – or any of your sensitive or confidential information – over email or instant message. Think of an email message or IM like a postcard. The information can be seen while it’s traversing the Internet. Also, once you send an email, you no longer control the information in it. It can be forwarded to other people without your knowledge or consent.
DON’T Use sample passwords given on different Web sites.

Regards

Chris