WARNING: This is the geeky post.
The strength of a password is determined by three factors:
- The length of the password,
- The complexity of the password, and
- The processing power available to the cracker.
The formula looks like this:
- Strength = Complexity ^ Length / Encryption Operations per Second
- Strength = the amount of time it would take (in seconds) to process all permutations of a password,
- Complexity = the number of different characters in the character set that the password was drawn from (e.g. numbers only = 10, lower case letters = 26, lower case + numbers = 36, etc.),
- Length = the number of characters in the password, and
- Encryption Operations per Second = the number of permutations a cracker can try per second.
Given that a modern desktop computer can perform over 1,000,000 encryption operations per second*, we can calculate how long it would take to run through all of the permutations of passwords of varying length and complexity as follows:
This chart shows the exponential trend of each of the average complexity curves mapped on a logarithmic scale.
- Exponential = Imagine a chart that looks like the right hand side of the letter U
- Trend = With so few data points, the chart looks rather jerky. So, I told Excel to display a trend line, instead. It smoothes the curve.
- Average Complexity Curve = The average amount of time it would take crack a password of a specific length and complexity.
- Logarithmic Scale = Vertical axis goes up by powers of 100 rather than linearly (1, 2, 3, etc.)
So, how strong are your current passwords? Are they strong enough? Stay tuned…
* I got this number (> 1,000,000 encryption operations per second, or crypts/second, or c/s for short) from an interview with the creator of a password cracking tool called John the Ripper. Here’s the interview. It’s worth a read, if you’re at all interested in this stuff. I found the number in a question on the second page, second paragraph.