How Secure is your Password?


----------------

Most people realize that some passwords are harder to guess than others. But a new online tool allows you to see just how much variation there is.

The appropriately named www.howsecureismypassword.net has a single, simple purpose: you type in your password and the site tells you how long it would take a desktop PC to crack it, presumably by a brute force attack (that is, literally trying out every possible combination of characters.)

It should be noted the site promises that “no data is stored or transferred anywhere.” If you are still a little paranoid, it might be worth typing in a dummy password of the same construction. So, for example, if your password was smith1952, try something like jones1948 instead.

The mathematics of the calculation seems simple enough: as best I can tell it works on the basis that longer passwords take longer to crack, adding numbers as well as letters increases the difficulty, and adding other characters such as punctuation marks adds even more.

The tool does note when you type in one of 500 most popular passwords, but otherwise doesn’t seem to distinguish between dictionary words and random strings of characters. In reality, actual words are usually considered less secure as they can be cracked using the much quicker technique of running through all the words in the dictionary.

Even with these limitations, and bearing in mind that the results should only be taken as comparatives rather than absolutes, the results are staggering. To give one example, a password I use for discussion forums would apparently take 13 minutes to crack, while a longer one I use for my webmail access would take 138 million years!

To give some illustration of the way the security rises in a disproportionate way, here’s the times for some password combinations:

Letters only:

6 letters (the least secure password allowable on Hotmail): 30 seconds
7 letters: 13 minutes
8 letters: 5 hours
9 letters: 6 days
10 letters: 163 days
11 letters: 11 years
12 letters: 302 years

Letters and numbers:

6 characters: 3 minutes
7 characters: 2 hours
8 characters: 3 days
9 characters: 117 days
10 characters: 11 years
11 characters: 417 years
12 characters: 15 thousand years

Letters, numbers and other characters:

6 characters: 23 minutes
7 characters: 18 hours
8 characters: 38 days
9 characters: 5 years
10 characters: 252 years
11 characters: 12 thousand years
12 characters: 607 thousand years

One thing to note is that while the numbers leap up the most when extending longer passwords, the practical effects are arguably much more significant for shorter passwords. For example, somebody who did the bare minimum with a Hotmail account (6 letters) could simply add a number and a punctuation mark to the end of their password and extend the cracking time from 30 seconds to 38 days, which would certainly put off many would-be attackers.

It also makes for a good argument that web companies which ask users to choose passwords could make their systems substantially more secure simply by asking for a couple of extra characters or for a combination of letters and numbers.







43 Responses to How Secure is your Password?

  1. Wow. the password my college issued me for email would take 10 seconds to crack. I feel safe now. -.-‘

  2. Wow. the password my college issued me for email would take 10 seconds to crack. I feel safe now. -.-'

  3. You’re password is exceptionally secure… That is, until you run it through this program.

    They say no data is stored, but who can you really trust? Use at your own risk…

    • That’s exactly why we wrote:

      It should be noted the site promises that “no data is stored or transferred anywhere.” If you are still a little paranoid, it might be worth typing in a dummy password of the same construction. So, for example, if your password was smith1952, try something like jones1948 instead.

  4. You're password is exceptionally secure… That is, until you run it through this program.

    They say no data is stored, but who can you really trust? Use at your own risk…

    • That's exactly why we wrote:

      It should be noted the site promises that “no data is stored or transferred anywhere.” If you are still a little paranoid, it might be worth typing in a dummy password of the same construction. So, for example, if your password was smith1952, try something like jones1948 instead.

  5. The math is simple:

    There are N possible characters to choose from and your password is X characters long. Examples of N:
    1) Lowercase Letters = 26
    2) 1 + Uppercase = 52
    3) 2 + Numbers = 62
    4) 3 + Special chars ~= 104+

    104 is the standard Windows keyboard, but many more chars can be added through Alt+NUM.

    From there, the number of possible combinations is defined by the mathematical formula for permutations without repetitions:

    N!/((N-X)!)

    That number is then divided by a constant factor (k) of permutations per second(defined by the computer) to give a total amount of time (t) to guess that many permutations. Since the brute force algorithm operates linearly, it is generally a decent approximation.

    So the final formula is:

    t=(N!/((N-X)!))/k

    Units:
    second = permutations/(permutations/second)

    Note this calculation is for a single desktop. Any type of supercomputer, distributed computing, or botnet will make mincemeat of any password extremely quickly.

  6. The math is simple:

    There are N possible characters to choose from and your password is X characters long. Examples of N:

    1) Lowercase Letters = 26

    2) 1 + Uppercase = 52

    3) 2 + Numbers = 62

    4) 3 + Special chars ~= 104+

    104 is the standard Windows keyboard, but many more chars can be added through Alt+NUM.

    From there, the number of possible combinations is defined by the mathematical formula for permutations without repetitions:

    N!/((N-X)!)

    That number is then divided by a constant factor (k) of permutations per second(defined by the computer) to give a total amount of time (t) to guess that many permutations. Since the brute force algorithm operates linearly, it is generally a decent approximation.

    So the final formula is:

    t=(N!/((N-X)!))/k

    Units:

    second = permutations/(permutations/second)

    Note this calculation is for a single desktop. Any type of supercomputer, distributed computing, or botnet will make mincemeat of any password extremely quickly.

    • Not anymore. They have it! Your password is not private anymore… if you are smart, change it right now!

    • Not anymore. They have it! Your password is not private anymore… if you are smart, change it right now!

  7. How seacure is your password?

    Not secure at all. You just gave it away to some website you only just met ;-)

  8. How seacure is your password?

    Not secure at all. You just gave it away to some website you only just met ;-)

  9. How seacure is your password?

    Not secure at all. You just gave it away to some website you only just met ;-)

  10. the only issue with sites forcing you to add digits in certain ways to make your passwords more secure is that it makes it much harder to remember them because they’re outside the range of your normal passwords.

    now you either have to write it down, set your computer to always remember it, or click the forgot password link every time. arguably less secure in some ways.

  11. the only issue with sites forcing you to add digits in certain ways to make your passwords more secure is that it makes it much harder to remember them because they're outside the range of your normal passwords.

    now you either have to write it down, set your computer to always remember it, or click the forgot password link every time. arguably less secure in some ways.

    • After submitting a few passwords in similar formats to my actual passwords, I too was curious to find out some of these. Apparently, f**k is one of them. Are there really that many people who think that is a good idea? :( Apple, orange and banana also make the list. Nom.

    • After submitting a few passwords in similar formats to my actual passwords, I too was curious to find out some of these. Apparently, f**k is one of them. Are there really that many people who think that is a good idea? :( Apple, orange and banana also make the list. Nom.

  12. I’ve got a good idea for some new websites that provide equally good utility:

    ismysocialsecuritynumberprime.com
    sumdigitsofmycreditcardnumber.com
    mothersmaidenname.com
    howfastcanitypemycheckingaccountnumber.com

    • I've got another new one!

      WhatProgramsAndWebsitesIUseAndWhatMyUsernamesAre.com!

      Because without that, a password is meaningless. Even if they have your password, they'd have to know what it's for, and what your username, etc is.

      And if you're telling me that that little script can find all of that out, you have a massive misunderstanding of the internet and computers and shouldn't be making such over the top and paranoid statements.

      Go ask John Smith if he has any spare foil.

  13. I've got a good idea for some new websites that provide equally good utility:

    ismysocialsecuritynumberprime.com

    sumdigitsofmycreditcardnumber.com

    mothersmaidenname.com

    howfastcanitypemycheckingaccountnumber.com

    • I’ve got another new one!

      WhatProgramsAndWebsitesIUseAndWhatMyUsernamesAre.com!

      Because without that, a password is meaningless. Even if they have your password, they’d have to know what it’s for, and what your username, etc is.

      And if you’re telling me that that little script can find all of that out, you have a massive misunderstanding of the internet and computers and shouldn’t be making such over the top and paranoid statements.

      Go ask John Smith if he has any spare foil.

  14. this is ridicules. Suppose a person is keeping is password as "abcd……z" your program says that about 19 sextillion years will take to crack the password. But with the common knowledge on can find the sequence easily. Your programs algorithm is based on permutation and combination. But cracker are more imaginative than trying P & C. This is like statistic. It will not lead you anywhere.

  15. I love all of the Flat-Earthers screaming that NOW THEY HAVE YO PASSWOOD!!!!

    Do you really think that I put in the real one? Geeze.

    I tried one with the same type of letters, special characters and numbers as my Geekosystem PW. 700 million years, BTW. Unless the NSA gets interested. Then about 15 seconds, give or take.

  16. notice the lock icon implying a secure connection? click on it. their lying. the connection is NOT secure… their probably stealing passwords entered there, though I can't prove it. I'm avoiding this site. why would they put a lock icon there implying that the connection is secure? They also store cookies on your computer. looks ODD to me.