just how strong are your passwords?

When choosing a password, a couple of characters can make a big difference, and you can see just how big a difference by using the online TGP Password Strength Checker.  This web based tool provides estimates of how long it would take a well equipped adversary to brute force a given password.  The results are very instructive. 

If your password is “apple” you can expect it to be guessed in under a second by an automated brute force attack by a well funded attacker.  Now, let’s try changing a few parameters and see what happens to the effort required:

Apple – still less than a second… that capital letter did not help too much

Apple450 – now the estimated time jumps to about 27 hours… better, but still pretty darn easy if the attacker is motivated.

Apple*450 – adding that special character really helped, now the attacker would have to crunch the numbers for about 350 days to guess the password.

Apple*+450 – OK, now we’re talking… adding in a second special character just raised the brute forcing time to approximately 73 years.

Apple*+*450 – That last * really made a difference – unless our attacker has 5,547 years to spare, brute force attacks agains this password are pretty futile.

Password length makes a real difference.  For example, the password “Cantaloupe450” would take a very well funded adversary about 2.9 million years to guess (as opposed to 27 hours for “Apple450”).  Length and character set diversity are your friends.

Now, I would not recommend putting your real passwords into the online checker… while the person who wrote it is a well respected security researcher who says that none of the tested passwords are stored, you never know, do you.  However, by experimenting with passwords of a construction similiar to the ones you use, you can get an idea of what you need to do to make your passwords as crack resistant as possible.

Now this system does not take in to account “dictionary” attacks which use word lists like dictionaries or lists of sports team names, proper names or really stupid passwords that people insist on using.  These attacks would be much more efficient.  We security types always tell you not to use dictionary words, but we know that you do… they are easier to remember.  A couple of things you can do to make passwords with dictionary words in them more secure:

• VarY tHE cAPitalIZAtion of the word
• Place numbers or special characters within the word – butter324fly or busy*45bee

Of course, in a well designed system, accounts would be set to lock out after a small number of password attempts, making it pretty much impossible for such dictionary and brute force attacks to work.  But not all systems are well designed (thus keeping people like myself employed and writing blogs).  Protect yourself with a decent password.