Following up on my “10 Tips to Prevent Hackers“, I want to bring more emphasis on our number one tip – Strong Passwords. The effectiveness of security of increasing the length of a password by just one more letter, symbol or number grows in a very, VERY steep exponential rate.
In other words, for every extra digit you add on to you password you triple, quadruple or even 5x the different possibilities. The longer the password, the more effort required to discover it. However, longer passwords also means more difficult it is for users to remember it.
So, what if I tell you that a simple password would take a human hacker 580 million years to crack or even a super-computer up to 59 years?! Now, that would be optimum security wouldn’t it?
Average Time to Discover Password
|
No. of Characters |
Possible Combinations |
Human Hacker |
Computer Hacker |
| 1 | 36 | 3 minutes | 0.000018 seconds |
| 2 | 1, 300 | 2 hours | 0.00065 seconds |
| 3 | 47, 000 | 3 days | 0.02 seconds |
| 4 | 1, 700, 000 | 3 months | 1 second |
| 5 | 60, 000, 000 | 10 years | 30 seconds |
| 10 | 3, 700, 000, 000, 000, 000 | 580 million years | 59 years |
This table of data consists of possible characters from A-Z and numbers 0-9. Human discovery assume one try every 10 seconds. Computer discovery assume one million tries per second. Also the “Average time to discover” assumes that the password would be discovered in approximately half the time it would take to try all possible combination.
Example of Average Time to Discover a Password
Let’s say for example – for a one character-password there’s 36 combination consisting of letters A-Z (26 possibilities) and numbers 0-9 (10 possibilities) When, we apply the assumption that each HUMAN attempt takes 10 seconds – hence a human hacker should take 360 seconds or 6 minutes to break the code.
Then we apply the second assumption that the hacker will discover the password exactly half-way through – therefore they will discover the password in 3 minutes which is referred to as the “average time to discover passwords.”
Exponential Growth – What is it?
Below you can see a visual representation of what I meant by the “exponential growth” earlier. Just by adding one extra digit you open up so many more possibilities and make it much harder for hackers to get into your sensitive files.
As you can clearly see – by just adding one more digit to your 3-letter password you decrease the chance of a “random guess” by such a value that it is almost impossible for a human to hack. I cannot stress enough on how significantly your security status improve for every extra digit you add – but don’t go overboard because you just might forget your next 20-character long password..
Now, Implement & Good Luck!
Hopefully all of that made sense. So, take this into consideration and use as many different digits as possible. Remember you are not limited to just numbers and letters – symbols such as “!@#$%^” are always good for extra unguessable protection.
{ 3 trackbacks }
{ 57 comments… read them below or add one }
That’s really awesome!!
Thanks for the article dude.
This is very interesting! Just curious, did you completely come up with this yourself, or did you get the information and data from another website?
@Abhik – Thanks for your comment, appreciate it.
@Leon – It was strangely bit of both, because I read about the exponential growth in password security by just adding one more character in my I.T Class and at the same time, we were doing Probability (Combinations) in Math – so the two helped me device that table.
However, I must give the credit to my I.T class for inspiring me with the idea
Great advice.
One thing to keep in mind is that it will change depending on how many number/letter/symbol combinations you have.
i.e. if you have 10 letters and 1 number, it wont be as effective as say 10 randomly and evenly dispersed numbers/letters.
But still good info, you can still calculate the number of years a computer will take based of that 1 million tries per second.
So thanks
Thank you for your comment, MrMag.
Your quite right, just by adding that one extra number you almost raise the possibilities by a significant power.
The difference is just so immense!
Also, forgot to mention: Using a mix of capitals and lowercase adds another set of 26 possible digits.
Yes of course, the possibilities are endless. Capital letters are a great way to add a whole new 26 combinations, which would take even longer for human and computer hackers a like.
Also, one key that isn’t used for passwords often is the space-bar. It works on most password fields and not many people use it
I always have a hard time coming up with a good unhackable password. Thanks for this data, this will come in handy!
No worries Ryan! Glad you could get some good out of it
Woooow you have put it so well. I always thought of using less keys but now i know why the bigger the password the better it is.
Woah, you’ve been using small passwords? Good thing no one has tried anything on you (right?), that could have been bad!
I accidentally typed this comment on the other article, hopefully you guys can remove that
Woah, this is one of those things that we all have in the back of the mind but we don’t realize till someone points it out.
This takes me back to my Year 12 Math’s class with the probability theories
Nicely written out Janith!
Interesting. Mine should take more than 10 years to crack. Not too bad, eh?
Yan
Must be a very patient person to even attempt to crack that.
10 years – is that for a human or computer hacker, Yan?
Nevertheless, either way it is a very long long time
I have always had trouble remembering passwords so I use a piece of software that remembers all my passwords. I will allow me to generate a password manually or I can let it do it for me automatically once I set the parameters such as length etc. The beauty about it is that double clicking on the password copies it to the clipboard for 20 seconds, time limit for security reasons, and then I paste it into the required area. I think this is pretty good as it gets around those hackers that can copy the keys pressed on the keyboard.
20 seconds?! That’s sounds really cool. What’s that software called?
It’s called Keypass Password Safe
Okay – I’ve followed some of the tips here and according to these calculations;
It will take 30 years for a computer to hack my password =D
Sounds good. I pity the fool who wants to crack you. :p
Internet Usage 101, I suppose. But yeah, password security is getting more and more important in an age when spoofing, cracking and hacking is a child’s play. I have had my password cracked once and from that day, I learnt the value of strong passwords. By the way, cracking my current password will crush a super computer lol :p
Do you use different passwords for each site? Or, are you someone who uses one password on one site (like your blog) and the same ones on other sites?
I’ve been meaning to make a skirt for a looong time, and this one is great. I don’t have an overlay mattress, but… I’m sure I can tinker this to my needs.
I didnt think it would be that easy!…time to up the number of characters to my password haha
Great idea!
The only downside is that it’s extra hard to remember the password. So unless I write down my passwords somewhere when I go away, I wouldn’t be able to get into many websites I use. =/
nice. really nice. i’m gonna reddit this article…
Thank you for Redditin’ this article Arjun
Great post. Having 10 characters well make a basically un-hackable password as long as you don’t use dictionary words.
cool stuff bro…something like eye ball that couldn’t be seen!
Nice article & I will implement your tips in my all types online passwords.
Good idea. Never know, someone could be eying your site getting ready to break in.
Thank you ~~~
x-ben’s last blog post..World of Warcraft
Hehe mine is already 19 characters long
Yes this can be true but also take in mind that you can run more than one pass crack at a time…
Thanks for your tips, i am looking for password protection procedures got it from you. Thanks, if possible report me the tips about how to protect from gmail hacking, credit card cracking also.
interesting facts.. that’s why I prefer to use shift keys mixed with number. My university has a policy that at least one shift key and one numeric and 8 minimum chars to compose a website, it was pretty hard first, but since that time, I am used to better password creation.. so, we just nee a system that works and enforce it for a while, then we will get used to it. I attended to Deakin University, Victoria.
this is fantastic post to enforce.. actually, if you focus this one to be 12 pages article, you might even get published in IEEE or some sort like that.. well done.
Linn’s last blog post..Earn Money Online – Easy and Effective Bidvertiser Referral
Thank you for stopping by Linn, and it was recently that our school also made “complex” passwords compulsory. Some of them include;
- Minimum 8 characters
- At least one special character (#$@% etc.) and at least one number
- Can’t be the same as your last 25 passwords!
- Can’t be your name, age, student code or address, date of birth.
The new security measures are so much better, because I remember the number of people with the 3-4 letter passwords constantly complaining that they keep getting hacked! *face palms*
Featured on IEEE? That’d be a honor to say the least.
The password can hacked more fast if a hacker has a Super Computer of high ram(say 500GM from that Toshiba Company). Now if he uses any of the these Brute force or Dictionary Attack then he might get the password quickly of your account.
At Last! The possibilities are less :0 (lol)
Typhoon’s last blog post..More fun and Benefits while commenting on SmartBloggerz!
HACKERS USE COMPUTERS FOR BRUTE FORCING. SO IT ISN’T 580 million years but 59!
Also, this is not true with the use of WordLists.
hey thankx for this useful post …. the tips are amazing and it is a new and good way to safe our accounts… great post
I think that this can also have some bearing on whether it is just letters or if there are numbers included as well. I have seen 10 character passwords cracked by a computer in no time, and 5 character passwords that include a symbol, still not beaten in a number of days.
I do understand some of it can be luck, but i think adding a symbol immediately adds a major jump in the ability to crack a password.
Joel Brown’s last blog post..Cost of Losing a Customer
I don’t plan to live that long
It’s good not to use passwords that are easily guessed either, especially if you have sensitive information locked behind it. When I was a kid, my cousins and I tried for about an hour to guess the password on my uncle’s computer. When we started “really thinking” we decided we’d try a password related to his profession. He was a preacher at the time. So naturally we typed in jesus and cracked the password. We really thought we were something because of that. LOL Thanks for the great tip!
How To Easy – Jake´s last blog ..How To Save Money on Electric Bills – Heating & Cooling
wow a 10-letter password – thats tough to remember.. perhaps can use auto-form filling bots e.g. Roboform
ZQ
ZQ | Travel Blog´s last blog ..Mozart Madness and Public Transport in Vienna
Seriously? 10 characters? Whoopde-woo, a 10-character strong password! The arguments for your article are theoretically sound (yes, a 10-character password can be many orders of magnitude more secure than a shorter one), but in practice is meaningless. This is because it assumes a simple brute-force attack, which is a highly inefficient way of cracking passwords.
Don’t get me wrong, this is sound advice, but it is incomplete, and as such it is incorrect and also potentially dangerous. Everyone who reads this article should be aware that simply the length of a password does NOT mean it will be safer. In fact, unless proper practice is used, making a password longer could make it less safe.
The key to a secure password is to keep it random and varied. Modern convention calls for a minimum of 14 characters, including upper and lowercase letters, numbers and symbols. It is important not to use common words, or l33t-speak, as well as elements of your name (or username) or words/numbers that can easily be attributed to you (birthdates, names of loved ones, etc). Also, avoid using characters more than once, putting the same type of character together (number followed by number, symbol followed by symbol).
Personally, I think of a password in terms of easy memorable words and numbers which make sense to me, and then add a mix of symbols and upper/lower case letters and assign similar characters in replacement of others. Therefore, the end result is a complex password that still resembles easily memorable words to me. So for example, “supercool69″ (which is easily memorable) would become “zV9#r€.O/6n!4E” (s becomes z, u becomes V, p becomes 9, e becomes #, r stays r, c becomes €, o becomes . , o becomes O, l becomes /, 6 stays 6, 9 becomes n!4E). As you can see, if you know the original supercool69, it is not hard to remember the harder version, which will add an incalculable more amount of security than the 11-character long “supercool69″.
Don’t be fooled everyone, making your passwords safe means WORKING to keep them safe. A password that is not annoying to type in is not a good password!
I really see your point… I think the article is trying to make this point as well though.
Strong passwords are based on using multiple character types and lengths. Good point and thanks for the discussion!
Seth´s last blog ..11 Tips To Improve Your Facebook Marketing
I’ve taken a computer Security course a few years ago, I learned alot when it comes to this stuff! And I can certainly agree that making a password 10 characters long at the least, and making sure to mix capital will lower case letters, will make it a very very strong password for sure! Because if you use capital and lower case letters, it increases your range of possible characters by alot! =D
Till then,
Jean
Wow…great great article. My first time to read such post. Thanks. What a nice illustration of numeric figures. By the way, how about special characters like %$*, do they have the same difficulty with ordinary letters and numbers?
Thanks a ton Janith, this was a perfect table explaining how many characters are suitable, with having 10 character long password, I’ve been in favor of keeping two passwords. Like logging in for email or forums, you need two passwords to sign in. You can keep one password 10-character long and the other one shorter. But as you said it would take a computer hacker 59 years, my idea might not be worth practicing it lol.
What along time just to be able to discover a password.
Hakeem – technology and gadgets´s last blog ..Tech Weekly podcast: Studying at the Singularity University
Ok I think 59 years for computer hacker is really secure. I didn´t not live this time from this day.
regards
Volksphone
Volksphone´s last blog ..Usability-Schnelltest für die eigene Firmenwebsite
Awesome for anyone to think on this.Simple logic with rationality makes this acceptable.Even if we consider technology updates and other factors and shorten the time by half still it is long enough time to think of another password,isn’t it
I liked it.
great article tutorial, i am thinking to add more special characters of all my password to prevent hackers.
oes tsetnoc´s last blog ..Increase Link Popularity By Blog Commenting
I didn’t read all of the comments, but I have a few questions about this.
1) How did you come up w/ 32 characters? 32 letters in the English alphabet, assuming that’s the basis here. numbers 0-9 would make that 41…. I don’t get it.
2) You say that if number of characters = 1, that would make for 32 combinations. So you’re assuming case-insensitive. You should clarify.
3) Let’s not even go into special characters (they are chars after all).
4) Finally, if someone’s password is the letter “a”, then they deserve to be hacked.
Correction to my bullet #1:
1) How did you come up w/ 36 combinations. 32 characters in the English alphabet ….
Good explanation you have all my respect
But all of this assumes that the passwords are not stored hashed
Because hashing the password will loose some information so that you can never recover the password back. If the password is hashed then it takes less time to guess than described here because multiple passwords map to the same hash. Those who know a bit of math will understand this.
Example with binary (this is not what happens in reality just to give the gist to normal users)
Assume a password is 3 characters long
Lets say we remove the last character from password so that the password is not recoverable (i know this only need two attempts but am trying to make it simple to you)
set of passwords hash
000 00
001 00
010 01
100 10
101 10
110 11
111 11
by removing the last character we made more passwords valid to match the hash in this case its divided by 2. (its the nature of the example that made this decrease the amount of time to guess linear it might be exponentially reduced in reality)
So don’t be so sure of the accuracy of the calculation above.
My standard password is 10-12 characters so thanks for assuring me that I’m pretty safe. Of course that I can’t remember all of them – they are stored in KeePass database