Security research

How easy is it to crack a password?

Cracking a password can be easier than you think, by the time you’re done with this article you’ll be aware of how important it is to have a strong password.

A computer that can crack an 8-character password in 4.2 hours would need 5.7 trillion years to crack a 16-character one.

Do I have your attention now?

When it comes to securing your privacy and identity on the Internet, passwords are the most common for protection. Every web application we visit, every account we create, requires a password as a form of identity verification.

Unfortunately, not a lot of people take passwords seriously; as a result, many of the Internet’s passwords are 8 characters long, which can be cracked by someone who wants to spend $50 on some hardware. With such a threat, we urge you to treat the action of choosing a password more seriously.

Password Brute Force

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search. For example, a website may require that the password must be between 8–16 characters. In a simplified manner, the cracker may start with trying aaaaaaaa, aaaaaaab, aaaaaaac and so on and so forth until it has tried every possible combination of allowable characters.

That’s a lot of combinations of characters. The graph below illustrates the most common password lengths based on an analysis of over 320 passwords.


Source: Statista

Taking a password length of 8 characters, with the following requirements,  containing a lowercase ( 26 possibilities ), an uppercase ( 26 possibilities ), a number ( 10 possibilities ), and a punctuation mark (  33 possibilities), if you are doing the math behind, you’ll find out that the total possibilities that the 8-character password can be is 3,025,989,069,143,040, approximately 3 quadrillion.

How does Brute Forcing actually work?

Wait for a second, the cracker has to go on a website, type my username, type in a password attempt, and hit the login, and after, repeating this for 3 quadrillion times? If that would be true, you’ll no longer need to worry about password protection.

In real life, the problem comes from the fact that your username and password are exposed from a data breach. This can happen in a secure way and in an insecure way.

  • The exposed password is hashed, and it’s not stored in plaintext, that’s the secure way. For example if you have a password “mypassword”, it would be stored as “a336f671080fbf4f2a230f313560ddf0d0c12dfcf1741e49e8722a234673037dc493caa8d291d8025f71089d63cea809cc8ae53e5b17054806837dbe4099c4ca” , if the website hashed your password using a SHA-512 hash function.
  • The exposed password is stored in an insecure way if the password it’s not hashed, and it’s stored in plain text. In this case, there would be nothing to brute force, like the password, it’s already in plaintext.

After the cracker obtains the information from the data breach, the attack can start. The cracker would just need a program that will try out different combinations of characters and compare the result with the hashed value from the breach, and piece of Hardware fast enough to crack the password in a short period of time.

Regarding the program, there are open source tools that can crack passwords, like Hashcat ( which is my favorite) or John the Ripper. Regarding the hardware, that’s not a big deal today, as you can get an AWS instance which is a machine that contains a very powerful GPU, for $3.06 per hour.

Improve your password Security

As we discussed, for 8 characters long password, there are 3 quadrillion possible combinations. By adding one more character, you increase the number of possible combinations by almost 100x. At 16 characters, it’s 36,079,602,200,334,571,635,466,603,985,857 possible combinations. That would take an 8-GPU rig up to 5.7 trillion years to crack, compared to 4.2 hours with an 8-character password.

Leave a Reply

Your email address will not be published. Required fields are marked *