Time it takes to hack your password

[CF DolFan]

Interesting that in this day and age we haven't figured how to keep up with hacking. I've seen demos before but this chart is pretty interesting. I guess I'm going to be adding a few more characters to my password. I got hacked a few years ago so the one we use now is at 226 years so I guess that's not the worst. Our previous one apparently only takes 5 mins to crack.

[Spider-Dan]

You should use Two-Factor Authentication for anything that matters, which makes this chart significantly less relevant.

For those that don't know, Two-Factor Authentication is an extra security step that requires you to receive a text, phone call, or e-mail on a verified contact in addition to your password.

[Dave Gray]

Most of the things I have allow for a certain number of failures before the password has to be locked for a certain amount of time or reset at all.

Also, from what I understand, the real risk of passwords isn't brute force, but it's data leak.

I heard somewhere say that the best way to have passwords is to have them be much longer but not have weird character restrictions.  Like "purple monkey dishwasher" is very hard to hack, easy to remember, and you don't have to write it down.

[Fau Teixeira]

Most of the things I have allow for a certain number of failures before the password has to be locked for a certain amount of time or reset at all.

Also, from what I understand, the real risk of passwords isn't brute force, but it's data leak.

I heard somewhere say that the best way to have passwords is to have them be much longer but not have weird character restrictions.  Like "purple monkey dishwasher" is very hard to hack, easy to remember, and you don't have to write it down.

that is actually the recommendation from the US dept of commerce, but companies are still stuck in the 1 number, 1 uppercase, 1 lowercase paradigm

[Dave Gray]

Pet peeve:

Like many of you, I assume, for passwords that I have to remember (that aren't autogenerated or something), I have various iterations of it with numbers, symbols, and varying character lengths based on the strength required by the website.

Unfortunately, the website doesn't tell you the restrictions when you're entering the password.  It seems so easy, wouldn't help hackers, but would greatly help me remember.

[fyo]

It's worth noting that the table shows the time it takes to crack a single password GIVEN THE MD5 HASH. So the sites user table would have to be leaked first. This certainly happens - and surprisingly often - but it isn't the time it takes to actually "hack your account" if there was no prior leak.

It's also worth noting that the assumption of the hash being MD5 is outdated. While there are some sites that still use  MD5 (like this one, probably), if we assume BCRYPT instead, you can multiply those numbers by about 10 million.

[fyo]

that is actually the recommendation from the US dept of commerce, but companies are still stuck in the 1 number, 1 uppercase, 1 lowercase paradigm

The easy way to combine the two is to start or end all words with capitol letters and add a number + punctuation mark of your choice at the end. I.e. "PurpleMonkeyDishwasher7?"

[MyGodWearsAHoodie]

So my least secure password is the pin to my ATM card.

[Pappy13]

This is so misleading. First off they have to be making a TON of assumptions of best case scenario here like having the computing power to do it and free access to the password database. Few systems let you try millions of different wrong passwords before revoking your user-id at least temporarily making these types of brute force attacks all but impossible unless they have already compromised the database and have free access to it. Who cares if it takes 7 seconds or 3 months then? If they have free access to the database and the computing power to do it, they are going to brute force your password whether you want them to or not. Those predictions that it will take years to get your password then are assuming that they have to go through every possible combination to get it right which they don't, they can stumble upon the right combination in a fraction of the time it shows here.

This chart is next to irrelevant. Unless your password is ridiculously short and ridiculously easy like with just lower case letters or something, you have nothing to worry about UNLESS they have already compromised the password database and then, unless your password is like 15 characters long with all possible characters in it, they are cracking your password regardless, but that almost never happens. Even the recent case of last pass where they did get access to the password database, it was an older copy of the database so even then if you had changed your password since they got access to that database they still got the wrong password. This is also what it takes for just 1 user, obviously to hack all of the accounts is going to take much longer, it might take weeks or months for them to get to your account. There's just way too many variables to even hazard a guess how long it would actually take to hack your account with any decent password length.

The hard part is getting free access to the database in the first place. It's a BILLION times easier to just get someone to give you their password through social engineering and if they do that it doesn't matter if it's 400 characters long, it's compromised.

[CF DolFan]

Pet peeve:

Like many of you, I assume, for passwords that I have to remember (that aren't autogenerated or something), I have various iterations of it with numbers, symbols, and varying character lengths based on the strength required by the website.

Unfortunately, the website doesn't tell you the restrictions when you're entering the password.  It seems so easy, wouldn't help hackers, but would greatly help me remember.

I'm right there with you. Too many times I am resetting my password and remember it once they give me the parameters. Had they done that up front I'd have easily remembered.

[Brian Fein]

I'm right there with you. Too many times I am resetting my password and remember it once they give me the parameters. Had they done that up front I'd have easily remembered.

Completely agree with this.  Step one to remembering your password should be to email me the requirements.

[Dave Gray]

Completely agree with this.  Step one to remembering your password should be to email me the requirements.

Why even have it email it to you?  Just show it on the prompt:


Username (an email address):
Password (1 symbol, 1 capital, minimum 8 letters):

That's all it would take

[Brian Fein]

Why even have it email it to you?  Just show it on the prompt:


Username (an email address):
Password (1 symbol, 1 capital, minimum 8 letters):

That's all it would take

Just prevents people (ie, not hackers.  Maybe spouses or someone else in your life) from guessing your password based on knowledge they have.  If its emailed to you, its 1 more layer of security that you can easily bypass yourself.

[fyo]

Just prevents people (ie, not hackers.  Maybe spouses or someone else in your life) from guessing your password based on knowledge they have.  If its emailed to you, its 1 more layer of security that you can easily bypass yourself.

Or the hacker could just sign up and see what the requirements were.