How strong are my current passwords?

WARNING: This is the geeky post.

The strength of a password is determined by three factors:

  1. The length of the password,
  2. The complexity of the password, and
  3. The processing power available to the cracker.

The formula looks like this:

  • Strength = Complexity ^ Length / Encryption Operations per Second


  • Strength = the amount of time it would take (in seconds) to process all permutations of a password,
  • Complexity = the number of different characters in the character set that the password was drawn from (e.g. numbers only = 10, lower case letters = 26, lower case + numbers = 36, etc.),
  • Length = the number of characters in the password, and
  • Encryption Operations per Second = the number of permutations a cracker can try per second.

Given that a modern desktop computer can perform over 1,000,000 encryption operations per second*, we can calculate how long it would take to run through all of the permutations of passwords of varying length and complexity as follows:


This chart shows the exponential trend of each of the average complexity curves mapped on a logarithmic scale.

Er, what?

English translation:

  • Exponential = Imagine a chart that looks like the right hand side of the letter U
  • Trend = With so few data points, the chart looks rather jerky. So, I told Excel to display a trend line, instead. It smoothes the curve.
  • Average Complexity Curve = The average amount of time it would take crack a password of a specific length and complexity.
  • Logarithmic Scale = Vertical axis goes up by powers of 100 rather than linearly (1, 2, 3, etc.)

So, how strong are your current passwords? Are they strong enough? Stay tuned…

* I got this number (> 1,000,000 encryption operations per second, or crypts/second, or c/s for short) from an interview with the creator of a password cracking tool called John the Ripper. Here’s the interview. It’s worth a read, if you’re at all interested in this stuff. I found the number in a question on the second page, second paragraph.



0 responses