If the password cannot be guessed, the cracker tries to brute-force it.
This is trying all possible combinations of characters until the password is found.
When brute-forcing, the time to crack the password depends on the amount of possible
passwords that the cracker has to try.
The amount of possible passwords increases with password length and with increasing
diversity of characters being used
Let's take the scenario of a cracker trying 15 million passwords per second. This is
currently the maximum speed
being claimed by password cracker vendors. You need a pretty fast computer to
achieve this. The following table
shows the computed time to crack a password with 15 million tries per second.
Notice the incredible increase in time to try all
possible combinations when password length and complexity increase.
|length: 4, complexity: a-z||--> less than 1 second|
|length: 4, complexity: a-zA-Z0-9 + symbols||--> 4.8 seconds|
|length: 5, complexity: a-zA-Z||--> 25 seconds|
|length: 6, complexity: a-zA-Z0-9||--> 1 hour|
|length: 6, complexity: a-zA-Z0-9 + symbols||--> 11 hours|
|length: 7, complexity: a-zA-Z0-9 + symbols||--> 6 weeks|
|length: 8, complexity: a-zA-Z0-9||--> 5 months|
|length: 8, complexity: a-zA-Z0-9 + symbols||--> 10 years|
|length: 9, complexity: a-zA-Z0-9 + symbols||--> 1000 years|
|length: 10, complexity: a-zA-Z0-9||--> 1700 years|
|length: 10, complexity: a-zA-Z0-9 + symbols||--> 91800 years|
What we see is that any password shorter than 5 characters can be cracked within 5 seconds and any
password shorter than 7 characters can be cracked within a day. With the password length of 9, the cracking time goes to hundreds of years. In most cases this can be considered acceptable
while mostly we need to keep a secret for a maximum of 30 years. To be on the safe side, we recommend a minimum password length of 10 characters.
The crack times mentioned in the table are needed to try all the possible passwords.
There is a great chance that the cracker only needs 50% of this time.
Also bear in mind that a cracker can always have a lucky shot at his first try and
crack the password immediately. The chance is very small, but theoretically it is possible.