Ever Wondered Just How Good Your Password Is?

toggle-button

Kaspersky password checkerWeb sites are continually reminding us that it's important to choose a strong password. But what makes a password strong? And just how long might it take a powerful computer to crack a strong one, compared with a weak one?

Here's a handy site that can show you. Head to https://password.kaspersky.com/ and type in a password that you might have considered using. As you type, the site shows you just how long it would take to crack on various computers, including a home machine from the 1980s and the current fastest machine in the world.

It's fascinating to see how just a simple change to a password can make it vastly easier or harder to crack. Fred, for example, would take a second to crack, as would Secret. But put them together as Fred-Secret and the time increases to 4 days. Add a 3-digit number to the end, and now the crack time is nearer 30 years.

So next time you think you know whether a password is sufficiently strong, check it at https://password.kaspersky.com/ first.

Please rate this article: 

Your rating: None
4.47619
Average: 4.5 (21 votes)
toggle-button

Comments

Let's change the assumptions a bit:

1. Assume the attacker has downloaded a copy of the password database and is attacking it off-line.
2. Assume the password database is partitioned into 100 equal segments and each segment is attacked by a separate processor (i.e., 100 processors).
3. Assume high end PCs with vector graphics processor are used. This will yield about 3.0E07 password checks/second per processor.
4. Assume every 1.5 or 2.0 years, the number of processors used in the attack doubles and the processing power increases according to Moore's Law (doubles every 1.5 or 2.0 years).

Under these assumptions, the time to crack a password is nowhere near the estimate provided by Kaspersky; however, a password of 16 characters comprised of upper case, lower case, and digits should be secure for your lifetime. Yes, I have a spreadsheet that does the analysis.

Moore's Law pretty much crapped out around 2008, at least with regard to CPUs. Lately manufacturers been concentrating on reducing power consumption, with just a few per cent gain each generation in speed.

GPUs may still have some life left in them though.

Another factor missed in these calculations is how are the passwords stored at the other end.

Has the web site applied the full range of protections such as salting and PBKDF2, bcrypt or scrypt key stretching?

The price of the hardware has been dropping, plus the number of cores has been going up. Another factor though that missing is probability, you maybe 100% safe for a lifetime, assuming that means a 60 year search but in next 30 years, the hacker has a 50% chance of getting in.

My last paragraph above should have said "a password of 16 RANDOM characters ..."

Let L=Lower Case; U=Upper Case; D=Digit; S=Special (characters)
A DLU character has entropy = 5.95; a DLUS character has entropy 6.55
An 8 character DLU password has entropy 8*5.95 =47.6
An 8 character DLUS password has entropy 8*6.55=52.4
A 16 character DLU password has entropy 16*5.95=95.2
The entropy gain from DLU to DLUS is not that much and many sites don't accept special characters. As pointed out by reviewers, as long as the characters are random, length is more important than the character set.
In general it is best to use a program to generate a password of random characters and store the passwords in a password safe.

>> My last paragraph above should have said
You know you can edit your posts, right?

>> The entropy gain from DLU to DLUS is not that much...
Automated brute force attacks don't care about and don't know your password's entropy.
They don't know what characters you used for your password.
So they'll have to (spend valuable time by being obliged to) explore the complete DLUS space.
Even if your password only contains characters from the L space.
Hence, the password "f@K6[Mf3" will be cracked a fast as "goekjsoz" by their brute force algorithm.

>> a password of 16 characters comprised of upper case, lower case, and digits should be secure for your lifetime.
Why do people keep thinking that having a mix of upper/lower case characters and digits is better?
Probably because they've been told that for so long. Too long actually.

A pass phrase like 'I love my cat more than my wife (does)' is way more secure than (the too short password) 'a@5èg4L%'
LENGTH is the key to secure passwords/phrases.

>> Under these assumptions, the time to crack a password is nowhere near the estimate provided by Kaspersky
That site clearly states:
Your password will be bruteforced with an average home computer in approximately ...
In other words, if 1000 average home computers are used (like it is done in botnets), you indeed have to divide the value by 1000.

Certain things that I'd like to share with you guys....

1. No matter how strong your password is, never use a public computer to enter your sensitive information. You never really know what's running in the background on those computers.

2. Also if you are entering passwords in your browser, make sure you disable all extensions [except for password-manager extension] and also that you're in running in Safe/Incognito mode.

3. The best password for ease of use is an 8-letter passphrase combination of alphabets with a capital letter, a number & a special character.

4. Typing passwords on a virtual-keyboard is safer than using your own hardware keyboard.

5. Make sure your computer is free from malware/viruses/key-loggers. Always run a primary antivirus in the background, and perform monthly check-ups with a second-opinion scanner.

>> The best password for ease of use is an 8-letter combination of alphabets with a capital letter, a number & a special character.
That's incorrect. The best password is a pass phrase. Becasue of it's length.
The fact that it's easy to use and remember is a bonus.

That's what I meant. I also stressed on the fact that it should be easy to use, so an 8-letter password is the most ideal one. An example of it is H3ll0 2 U! which automatically becomes a strong password. Using more special characters will increase brute-force time. Spaces are ideal.

>> That's what I meant.
I don't think so.

>> Using more special characters will increase brute-force time.
That's incorrect. (cf. my other comment http://www.techsupportalert.com/content/ever-wondered-just-how-good-your-password.htm#comment-126694)

My point is that (the easier to use) "Hello to you!" is as strong as your "H3ll0 2 U!"
In fact it is stronger since it is 3 characters longer.

Side remark: Be aware that hackers also know the trick of replacing 'to' by '2' and 'e' by '3' and 'you' by 'U'.
So if we're talking about GUESSING passwords (which we didn't so far - we we're talking about brute force cracking them), my password is as weak as yours.

None of these will work if your ISP, VPN or WIFI has been hacked or taken over. I experienced this is a recent trip to Iran. 6. Change passwords regularly, use something like lastpass.
Two observations A hacker would have more than one PC. Most of us here for say $10,000 could put together a rig of 50 to 100 PC. Then start your cracking with one starting with A, the next with B, etc. Then I went into several sites that check password strength, put in the same password "chess2016pass" and found huge differences in the amount of time claimed to break the password in this case it went from 12 days to 54 million years.

And next week when my PC is hacked I'll know where they got the password from!

Since Kaspersky is a big name in Security, and has it's own password protection application in the Antivirus suite, it's probably safe.

As the site states:
Never enter your real password.
This service exists for educational purposes only - Kaspersky Lab is not storing or collecting your passwords.

@rob
>> Add a 3-digit number to the end, and now the crack time is nearer 30 years.
Your sentence suggests that the adding of digits makes your password better. But that's not the case.
It's not the fact that you add 3 DIGITS, you can add three random characters to "Fred-Secret" and it will also go to 30+ years.

The bottom line is: the longer the better (with an optimum of 12 characters). That's why using a pass PHRASE rather then a passWORD is promoted.
I've never understood why people think that adding digits, upper and lower cases and special characters would make your password better.
That's not the case. Why? A brute force attacker doesn't know if you have used special characters and upper/lower cases or not. So, (s)he has (to lose time) to try them no matter what.

Try it in Kapserky's password checker for yourself.
fq2H!@#ys = 4 months
Ilovemycatmorethanmywife = 10000+ centuries

Which one is easier to remember? Which on is easier to enter on your mobile?

Steve Gibson's site has had this forever:

https://www.grc.com/haystack.htm

Cheers

The page you mention states clearly: It is NOT a “Password Strength Meter.”

But it does the same thing.... I have tried both.

Kapersky can provide an estimate on how long it would take them to crack passwords but obviously far better hackers are employed by organizations such as the NSA. A 60 character password is overkill and would actually be a signal to hackers that your data is extremely sensitive and valuable. Most experts agree that within another decade keystroke passwords will be replaced by biometrics such as fingerprints and retinal scans anyway.

The problem comes when you need to enter one of those super complex passwords and you don't have cut/paste from your password store working. Can you remember how to type it? To be fair I do use a password store for many of my passwords but it can be interesting to enter something long and complex say to link your TV or smart box to a pay TV platform. Try entering 60 random characters using a TV remote!

I used KeePass' Password Generator to generate a 60-character password made up of upper and lower case letters, numbers, hyphens, spaces, underscores and other special characters. The site told me the password would take 10,000+ centuries to bruteforce. I suppose KeePass is good enough for me.

Has nothing to do with KeePass, but with typing in 60 characters.
Question is: do you use passwords of 60 chars long?
I guess you don't. And that's not needed neither. It's overkill as another person already said.
Passwords of 12 characters will do fine.