How long is your password?

We’re constantly reminded that our passwords need to be long enough and complex enough to prevent brute force attacks

I came across an interesting reminder today that longer passwords need to be longer. This article by Thomas Roth notes that the cost of cracking all passwords of length 1 to 6 (assuming the use of an SHA-1 level algorithm for encrypting the password) is about $2 and takes about 49 minutes – comparable with the price and length of a trip to Starbucks. Thomas used rented capacity from Amazon’s cloud computing services to perform the attack.

What this demonstrates is that if an attacker has a means of testing passwords for correctness (either an intercepted message or a copy of an encrypted password), short passwords are exceedingly vulnerable – even to an individual hacker with a very modest computing budget.

The cost of a brute-force attack like this increases exponentially with password length. If we assume that most real world passwords are composed of lower case letters and numbers , the cost increases by a factor of about 36 for each additional character in the password. So a 7-character password would cost about $72, and an 8-character password $2592.

Choosing passwords which are composed of lower case, upper case, numbers, and punctuation symbols should improve this substantially. But passwords still have to be well chosen.

When you last thought up a password to meet these requirements did you:

• Use only one upper case character?
• Make the punctuation mark the first or last character, or a separator between words?
• Use only one number, make it the first or last character, or a separator between words?
• Make the password easily pronounceable?
• Use any words in any language?

If you did, I overestimated the cost of cracking your password. (Password cracking programs try more probable arrangements of characters first).

It’s difficult to choose random passwords by hand.

Unfortunately it’s also even more difficult to remember them.