Your Password Can be Cracked in a Few Hours

Password cracking experts have been honing their skills for years to learn what words and variations people tend to use in passwords. Now they combine readily available collections of letters, numbers, and symbols with open source cracking code and increasingly faster and cheaper hardware to crack people's passwords faster than ever, according to ars technica.

Faster Hardware: A Fraction of the Time

Just a few years ago, cracking experts often only had access to fast PCs. Now, for a few thousand dollars, they can easily assemble blazingly fast machines with multiple General Processing Units (GPUs) by adding a few gamer-type video cards in a rack. These configurations have dramatically reduced the time it takes to crack a password.

For example, take a fairly typical 8-character password using upper and lower-case letters, digits and symbols:

  • In 2009, it would take a fast dual-processor PC about 23 years to run through all of the possible combinations of passwords (a "brute-force" cracking technique).[1]
  • Today, a $12,000 system with eight GPU video cards reduces that to about 12 hours, or 17,000 times faster.[2]

How to Make Safer Passwords

After the recent LinkedIn password breach, we blogged about how to make and manage safe passwords. Click here to read it.

Until recently, 8-character passwords were thought to be safe. No more. Now experts are recommending 9-10 characters and taking other precautions that we mentioned in our blog.

To keep you up to date with the latest information, here are a few more tips that could help you make your passwords even safer:

Avoid Common Words

Lots of people use the names of pets or cartoon characters in their passwords. Don't do that. Password crackers already have lists that cover a lot of these common words.

The article suggests that you don't use any words at all. Just use random strings of at least 9-10 letters, numbers and symbols with mixed cases. Don't even try to remember them. Instead, store them in an encrypted master password file not on a network and protected by a single password that's easy for you to remember, but hard for anyone else to guess.

Mix Cases Throughout

We talked about mixing upper and lower case letters. People tend to capitalize the first letter of words. Don't do that. Put the capital letter somewhere in the middle of the word.

Use Symbols and More than 8 Characters

Make your passwords as long as you reasonably can. We suggested up to 10 characters in our recent blog. If the account permits it, use symbols like $%#. The time it takes a computer to crack your password grows exponentially with password length.

Using special characters, along with numbers and mixed-cases, greatly increases that time (by raising the exponent). Adding just a ninth and tenth character can be enough to frustrate a cracking expert.

Don't Re-Use Passwords

This should be obvious by now, but it bears repeating. Never use the same password on another account. And also try not to use your email address as your user name. That makes combinations too easy to crack. It's like using one key for your house, car, office and safety-deposit box...with instructions on your key ring about where to find all of them.