What is the longest it would take someone to brute force a password based on certain criteria? The worst case for the hacker? I’ve wondered about this from time to time and now is a chance to find out.
Our scenario, a hacker has a computer or network that can try 40 billion passwords per second. First some warm up activities to get used to the calculation. Pick three organisations which have a password policy and restrictions on what passwords users can select. We are to create a password and test it here: https://www.security.org/how-secure-is-my-password/
Before we start
Before we start, some definitions about brute forcing. The shortest time taken to crack is instant, an attacker could get lucky and randomly get any password on the first attempt. The longest time is if they crack the password on the last attempt (ie the last possible combination). And the average time, is half the max time. Remember this when someone tells you it will take a hacker a billion years to break in.
Facebook (BAD)
Requirement: at least 6 characters long. I created a new account and entered ‘passwo’, yep this did the trick.
- Max time to brute force: 7 milliseconds
- Average time to brute force: 3.5 milliseconds
Commbank (BAD to NOT BAD)
Rules: 8 – 16 chars long. Must contain numbers and letters. Can contain chars.
Minimum: 8 chars, letters and numbers,.
- Max time to brute force: 1 minute
- Average time to brute force: 30 seconds
Max: 16 chars, letters and numbers and a character,
- Max time to brute force: 84 billion years.
- Average time to brute force: 42 billion years
UNSW (BAD to NOT BAD)
Rules: at least 8 characters long, contain at least three of – lowercase letter, uppercase letter, number or char. A bunch of rules around repeating characters and reusing previous passwords.
Min: 8 chars, lower and uppercase letters, number.
- Max time to brute force: 1 hour
- Average time to brute force: 30 minutes
Max: UNSW doesn’t set a max limit, so I used 16 as this is common. I included a character from each of the suggested sets.
- Max time to brute force: 1 trillion years.
- Average time to brute force: 500 billion years
Reflection
I’m surprised that Commbank’s requirement is so lax at the minimum end. Even if they insisted on including a capital and a symbol, at eight characters, it would still only take hours to brute force.
This has given me pause to think about my password practices.Combined with learning about credential stuffing attacks (attackers using stolen credentials on multiple accounts), I’m thinking I should look at it.
