Passwords from the attackers point of view

Published on 2009-10-21. Modified on 2023-10-26.

What constitutes a strong password, let's take a look from the attackers point of view.

So what constitutes a strong password? Should the password be long or just complicated or both?

The strength of a password is measured by the effectiveness in resisting guessing and brute-force attacks.

A brute-force attack consists of an attacker systematically submitting all possible passwords and passphrases until the correct one is found. This is typically done using a computer. The attacker can utilize different methods for the attack, but two well known methods are a dictionary attack, in which the attacker makes use of a predefined list of passwords, and a character by character attack in which the computer calculates every possible combination that could make up a password and tests it to see if it is the correct one.

Hence, the strength of a passwords is estimated by how many trials an attacker would need, on average, to correctly guess the password. The strength of a password is thus determined by:

Let's assume the attacker knows how long your password is and whether it contains any upper-case characters.

How long would it then take him to guess your password?

In order to save time, the attacker will typically try a selection of the most common passwords first. If your password is one of the few hundred most common passwords, such as "password", "qwerty", "12345678", etc., the attacker would gain access to your system in a matter of seconds.

If e.g. you have a password that is 5 characters long, and each of the characters is a lower-case letter from the English alphabet, and our attacker knows this, he or she would have to try 11.881.376 different character combinations.

26 X 26 X 26 X 26 X 26 = 11.881.376

If the attacker tries to guess your password at a rate of 200 guesses a second, using a computer program, the attacker would succeed in 59.406 seconds (a little less than 17 hours), in other words, less than a day.

It is very likely that the attacker will find your password much faster than that because it is not likely that your password is the last one he tries.

If we add upper-case letters to the password, that would give us 52 different letters instead of only 26. This time the attacker would need to try 380.204.032 combinations.

As we can see, this increases the strength of the password significantly.

The attacker would now on average take about 11 days to guess the password.

This demonstrates that in order for you to make a strong password, your password should be as long as possible and preferably contain a good mix of both lower-case and upper-case letters, as well as numbers and special symbols (such as #, $, %, etc.).

In order to crack a password with a mix of such 8 characters, the attacker would have to try approximately 5.59581809665e+15 different combinations, which would constitute several million days (if I haven't calculated wrong).

This doesn't mean that such a password cannot be cracked easily and much faster. I have used a simple example with only 200 guesses per second. It all depends on just how fast the computer is and on how many different computers that might be utilized. We can split the workload between e.g. 100 computers, each running the guesswork on a specific range of characters at the same time. The more resources an attacker has available the easier it gets to guess the password.

Using an NVIDIA RTX 4090 GPU, for example, Hive Systems calculated in April 2023 that it would take less than an hour to try every possible 8-character combination of characters (upper-case, lower-case, numbers and symbols).

Password strength is thus not just measured by its complexity but also by its length. Today's recommendations are passwords comprising at least 12 characters, but I personally recommend at least 20.