ham-website/posts/i-can-crack-your-password.html

<p>You may think your password is secure. Maybe you have chosen an obscure word, mixed in numbers, and added a
    <code>!</code> to the end. Think you’re pretty safe, huh?</p>

<p>The truth is, you aren’t. I can crack a 5 character password in less then 139 seconds!</p>

<p>We have been trained over time, by
    <em>unproven</em> security techniques, to make our passwords contain numbers and letters; sometimes even an
    <code>@</code> or
    <code>#</code> or
    <code>!</code> is added to the mix.
    <strong>But</strong> the truth is, we are only making it harder on ourselves with passwords that are difficult to remember, but
    easy to guess in a brute-force attack (automated hacking software).</p>

<p>Although a 128-character
    <em>totally random</em> password would be phenomenal, 8 characters is about all that can be enforced without frustrating
    users. However, an 8-character password comprised of uppercase, lowercase, and numbers can be cracked overnight in a
    real world brute-force attack.</p>

<h2 id="the-scoop-on-alpha-numeric-passwords">The Scoop on Alpha-Numeric Passwords</h2>

<p>Even though we are trained to think that a password of
    <code>Blu3D0g5</code> is the most secure type of password, it can still be cracked by a brute-force attack.
</p>

<p>Bare with me while I explain…
    <em>with some maths!</em>
</p>

<p>For every character in an alpha-numeric password there are
    <code>62</code> possibilities. First, you have the
    <code>26</code> character alphabet in lowercase, then
    <code>26</code> more in uppercase, and
    <code>10</code> digits.</p>

<div>
    <pre style="text-align: center;"><code>26 + 26 + 10 = 62</code></pre>
</div>

<p>This is to say that if you choose 8 characters,
    <em>completely at random</em>, your password would be very secure. However, we typically take a familiar word, or couple
    of words, and add some uppercase letters, or replace
    <code>e</code> with
    <code>3</code>, etc… which is
    <strong>not</strong> secure.</p>

<p>When we calculate the Information Entropy (known as the lack of order or predictability) we can see that a completely random
    character set is great, but when it is derived from an English word, or contains a date, it is simply terrible. The equation
    looks like this:</p>

<div>
    <pre style="text-align: center;"><code>[Password_Length] * log2([Number_of_Possibilities]) = "Information Entropy"</code></pre>
</div>

<div>
    <pre><code>8 * log2(62) = "~48 bits"
# which would take almost 9,000 years at 1,000 guesses per second</code></pre>
</div>

<p>
    <em>But, when your password isn’t
        <strong>completely</strong> random, it’s not that simple.</em>
</p>

<p>Because the password we chose was actually two words,
    <code>blue</code> and
    <code>dogs,</code> with some uppercase and numbers mixed in, the total Entropy is
    <strong>MUCH</strong> less. Something closer to
    <code>~28 bits</code>.</p>

<p>
    <strong>So let’s calculate what this actually means.</strong> A brute-force attacker can easily guess 1,000 times per second.
    The total number of options to guess can be calculated by taking the base 2 to the total number of bits.</p>

<div>
    <pre><code>2^28 = 268,435,456
# This is the total number of possibilities the password could be.</code></pre>
</div>

<p>In theory though, an attacker only needs to guess about half the total number of options before stumbling upon the correct
    one. So:</p>

<div>
    <pre><code>268,435,456 / 2 = 134,217,728
# Total number of guesses it takes to guess your password

134,217,728 / 1,000 = ~134,218
# At 1,000 guesses per second, it takes about 134,218 seconds

134,218 / 60 = ~2,237
# Or 2,237 minutes

2,237 / 60 = ~37
# Or 37 hours to guess your password</code></pre>
</div>

<hr>

<h2 id="in-contrast">In Contrast</h2>

<p>Let’s say we use 4
    <strong>random</strong> words, without any numbers, and all lowercase. For example:
    <code>yellow</code>
    <code>tiger</code>
    <code>note</code>
    <code>basket</code>. There are an incalculable amount of words for you to choose from, but most likely, you will choose from
    about 7,000 of the most commonly used words. If you use unique words like
    <code>laggardly</code> or
    <code>pomological</code>, the total time to crack your password will increase
    <strong>exponentially</strong>!</p>

<p>Using this new data, the Information Entropy is now calculated as:</p>

<div>
    <pre style="text-align: center;"><code>[Number_of_words] * log2(7,000)</code></pre>
</div>

<p>So, this new password now has
    <code>~51 bits</code> of Entropy, and using the same time calculations above, we estimate our password would take about
    <code>35,702 years</code> to crack at the rate of 1,000 guesses per second.</p>

<p>That is in stark contrast to the short 37 hours it takes to crack the
    <code>Blu3D0g5</code> password.</p>

<hr>

<h2 id="the-take-away">The Take Away</h2>

<p>By simply increasing the length of our passwords and using words randomly mixed together, we can have the most secure passwords
    that attackers will struggle to figure out, but that we can actually remember. I personally will never forget
    <code>yellow</code>
    <code>tiger</code>
    <code>note</code>
    <code>basket</code> as long as I live. However, now I can’t use it.</p>