Jump to content
Sign in to follow this  
atosniper

Calculating password strength?

Recommended Posts

So how does one go about calculating password strength in terms of time required to crack the password?

 

I was looking at this http://xkcd.com/936/ webpage about passwords here, and it shows a calculation. I thought this was quite interesting. I'd like to know how to do it by hand, like this webpage. For example, say you used a random password of both lower case and upper case letters that was 8 characters long, how many bits of entropy would that be? From there it is simply 2^bits, then divide that by 1000 for 1000 guesses per second. So I guess I need help in knowing how to calculate the bits of entropy in the passwords.

Share this post


Link to post
Share on other sites

I generally agree with the comic, I believe when it comes to brute force cracking passwords, length is the most significant factor. I've always thought long passwords, almost a short sentence, are much safer than shorter random combinations or characters. Unless someone can guess it... I did a quick google and found quite a few results. This was among the first results, and basically covers your exact question, they also link to the same comic. :)

Share this post


Link to post
Share on other sites

A always found this site was a good rough guide.

https://www.grc.com/haystack.htm

 

I always found it strange when people use totally random combinations, because to a computer it doesn't matter what you type in if it is just randomly guessing.

Even if it does use a dictonary attack, as long as you have a few numbers in it, it will take ages to break...

Share this post


Link to post
Share on other sites

Thanks for the replies.

 

Yeah, a little after I made my post I found the site below which is pretty interesting. It was too late to reply to my own post though :P

http://www.redkestrel.co.uk/Articles/Rando...rdStrength.html

 

The main part about bits of entropy is below:

Character Pool 	Available Characters (n) 	Entropy Per Character
digits 					 10 (0-9) 						3.32 bits
lower-case letters 	 26 (a-z)			   		4.7 bits
case sensitive letters and digits 	  62 (A-Z, a-z,0-9) 		5.95 bits
all standard keyboard characters   94 								6.55 bits

So my example of 8 string lower/upper case password would be:

62 possible characters, so 5.95 bits per character. 5.95X8=47.6 bits of entropy. Then 2^47.6=213318142629234.88813457721792354. At 1000 guesses per second, we get 213318142629234.88813457721792354/1000=213318142629.23488813457721792354 seconds to break the password, which is (213318142629.23488813457721792354/86400)/365=6764 years.

 

So pretty safe I guess lol.

Share this post


Link to post
Share on other sites

I would say finding out how many possible combinations there are divided by how many paswords a PC can check a second would give you a rough idea. I think 12 letters/symbols/numbers offer decent brute force protection in 2012. That number used to be 8 a few years ago.

 

Say you're trying to gues a 4 digit pin code

 

Each slot has 10 possibilities 0 to 9

 

[0][0][0][0]

 

10^4 = 10,000 possibilities

 

each "Slot" you add on increases it quite a bit

 

Add in another

 

[0][0][0][0][0]

 

10^5 = 100,000 possibilities

 

Add in one more...

 

[0][0][0][0][0][0]

 

10^6 = 1,000,000

 

Say for example we add in a letter to the first example. Then there is 36 possibilities for each slot

 

[0][0][0][A]

 

36^4 = 1,679,616 possibilities

 

Simply adding a single letter took our number of possibilities from 10,000 to over 1.5 million.

 

What you have to keep in mind is that an attacker (hopefully) won't know what you are using in your password or the length. That way they have to test EVERYTHING.

Edited by smakme7757

Share this post


Link to post
Share on other sites

WAY back when (pre 2000) I had a Pin number for my bank account that was 12 digits long. I felt pretty safe about that. I only stopped because the bank teller when issuing a new card insisted I only use 4 numbers. Bitch.

 

Using the GRC caculator I ran half a dozen passwords I use on the internet through it. The smallest number was 7000 odd years for a 1000 guesses per second. If someone has access to my PC and can make one hundred billion guesses a second I'm not that fussed about my data. I want his/her hardware !

Share this post


Link to post
Share on other sites

I was reading a few links, and one I came across actually questioned entropy as being the defining point of a strong password. But of course I can't find the link now.

 

In all honesty, I don't have much worth to steal. My passwords are 'good enough', to the point if they are cracked I'm not actually worried.

 

And as most of the hacks that have been made public in the last couple years, what's the point of having a strong password when so many systems that are penetrated don't encrypt your password when it's in their database.

Share this post


Link to post
Share on other sites
Guest xyzzy frobozz

Aboriginal place names are pretty good.

 

Jerilderie52 for example.

 

To your average hacker, that may as well be a random series of letters and numbers. All but uncrackable.

 

Just make sure it isn't also where you happen to live.

Share this post


Link to post
Share on other sites

Just make sure it isn't also where you happen to live.

For my old address it would have been good.

 

AssEndOfTheWorldThisPlaceIsFuckingBoring

 

I remember one of my mates used to use paragraphs from various books and magazines as his password, he would just keep a list of reminders like <MagazineInitials><edition number>-<page>-<paragraph>

 

Quite effective... as long as no one like me knew about it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×