Why long passwords matter!

Approximately how long would it take to brute force an 18 character long password, that is comprised on numbers letters and characters?

The time it takes to brute force an 18-character password depends on several factors, including the complexity of the password (i.e., the character set used) and the speed at which an attacker can make guesses.

1. Character Set:

  • Lowercase Letters (a-z): 26 characters
  • Uppercase Letters (A-Z): 26 characters
  • Numbers (0-9): 10 characters
  • Special Characters (!, @, #, etc.): ~33 characters (varies depending on the system)

Assuming a standard character set includes uppercase and lowercase letters, numbers, and special characters, there are approximately 95 possible characters.

2. Total Possible Combinations:

For an 18-character password with 95 possible characters:

3. Brute Force Speed:

  • The speed of a brute force attack varies depending on the attacker’s resources. A typical high-powered setup might guess millions to billions of passwords per second.
  • Let’s assume an attacker can make 1 billion guesses per second (which is optimistic for the attacker).

4. Calculation:

Let’s first calculate the number of possible combinations and then estimate the time required.

Total Combinations=95^18 or  5.9049×10^35

If the attacker can try 1 billion (10^9) passwords per second:

5. Converting to Years:

Time (in years)=1.8725×10^19 years.

Conclusion:

Brute-forcing an 18-character password with a full character set (95 possible characters) would take approximately 18.7 quintillion years (1.87 × 10^19 years) assuming 1 billion guesses per second.

This demonstrates why longer and more complex passwords are highly secure against brute force attacks.

How fast could the government, or someone with unlimited resources guess passwords?

When considering an entity with essentially unlimited resources, such as a government or a large organization, the speed at which they could perform a brute force attack on passwords could be far greater than typical estimates. Let’s break it down:

1. Advanced Hardware and Resources:

  • Supercomputers: Governments and large organizations may have access to supercomputers capable of performing calculations at speeds vastly greater than consumer hardware. For example, some of the fastest supercomputers today can perform over 1 quintillion (10^18) operations per second (measured in FLOPS—floating-point operations per second).
  • Specialized Hardware: Beyond general-purpose supercomputers, specialized hardware like ASICs (Application-Specific Integrated Circuits) or FPGAs (Field-Programmable Gate Arrays) can be designed specifically for tasks like password cracking, significantly increasing the speed.
  • Quantum Computing: While still largely theoretical for this purpose, quantum computers could theoretically crack passwords much faster using algorithms like Grover’s algorithm, which could reduce the time complexity of brute force search.

2. Estimate for a High-End Attack:

Let’s assume an organization with almost unlimited resources could deploy a system capable of trying 1 quintillion (10^18) passwords per second.

3. Calculation for an 18-Character Password:

Given the 95-character set:

Total Combinations= 5.9049×10^35 

If the system could try 1 quintillion (10^18) passwords per second:

Time (in seconds)=5.9049×10^17 seconds

4. Converting to Years:

Time (in years)=1.8725×10^10 years

Conclusion:

Even with an extremely advanced system capable of trying 1 quintillion passwords per second, it would still take approximately 18.7 billion years to brute force an 18-character password using a full 95-character set.

Quantum Computing Impact:

If quantum computing were to be fully realized, it could potentially reduce this time dramatically, but even then, an 18-character password would still be extremely difficult to crack. Quantum computing, using Grover’s algorithm, might reduce the time complexity from O(N) to O(√N). However, even with this reduction, the time would be on the order of millions to billions of years for a password of this length.

Practical Implications:

  • Password Length: Increasing the password length dramatically increases security.
  • Complexity: Including a variety of character types (uppercase, lowercase, numbers, symbols) further enhances security.
  • Multi-Factor Authentication: For highly sensitive data, passwords alone may not be sufficient. Multi-factor authentication (MFA) adds a critical layer of security.

This scenario emphasizes the importance of using long, complex passwords combined with other security measures.

Conclusion:

If you want your data to be safe, use a long password, that is comprised of upper and lowercase letters, numbers and special characters!