Passwords from the hackers point of view

Posted on 21.10.2009 by Kim N. Lesmer.
What constitutes a strong password, lets take a look from the hackers point of view.

First a note about the term "Hacker" from Wikipedia:

In common usage, a hacker is a person who breaks into computers, usually by gaining access to administrative controls.[1] The subculture that has evolved around hackers is often referred to as the computer underground. Proponents claim to be motivated by artistic and political ends, and are often unconcerned about the use of illegal means to achieve them.

Other uses of the word hacker exist that are not related to computer security (computer programmer and home computer hobbyists), but these are rarely used by the mainstream media. Some would argue that the people that are now considered hackers are not hackers, as before the media described the person who breaks into computers as a hacker there was a hacker community. This community was a community of people who had a large interest in computer programming, often creating open source software. These people now refer to the cyber-criminal hackers as "crackers".

So what constitutes a strong password? Should the password be long or just complicated or both?

The strength of a password is measured by the effectiveness of a password in resisting guessing and brute-force attacks.

The strength estimates how many trials an attacker would need, on average, to correctly guess the password. The strength of a password is determined by:

  • Its length
  • Its complexity
  • Its randomness

Lets assume that the hacker knows how long your password is and whether it contains upper case letters or not.

How long would it take him to guess your password?

The hacker will of course try a selection of the most common passwords first. If your password is one of the few hundred most common passwords, he could gain access to your system in a matter of seconds.

If you have a password that is 5 letters long, and each of the letters is a lower case letter (from the English alphabet). If our hacker knows this, he would have to try "26 X 26 X 26 X 26 X 26" = 11.881.376 combinations.

If the hacker tries to guess your password at a rate of 200 guesses a second, using a computer program, he would succeed in 59.406 seconds (about 16 hours), in other words, less than one day. On average he will find your password in half that time because it is not likely that your password is the last one he tries.

If we add upper case letters to the password, that would give us 52 different letters that could be used in each of the 5 positions. This time the hacker would need to try "52 X 52 X 52 X 52 X 52" = 380.204.032 combinations.

As you can see, this increases the strength of the password significantly.

The hacker would now on average take about 11 days to decrypt the password.

Most people want to use the same password for a very long time but in order to do that, the password has to be strong enough to be very difficult for a hacker to crack.

You password should contain a mix of both lower and upper case letters, as well as numbers and signs, and it should be at least 8 letters long.

In order to crack such a password the hacker would have to try (approximately) "93 X 93 X 93 X 93 X 93 X 93 X 93 X 93" = 5.59581809665e+15 times, which would constitute several million days if I haven't calculated wrong :-)

If you have any comments or corrections feel free to email them to me.