CHAPTER 24. PASSWORD RECOMMENDATIONS 234
single-digit numbers). Then they move on to two-letter words, and so on.
This is called brute force.
http://en.wikipedia.org/wiki/Password_crackingmentions (in 2012)
that common desktop computers can try over 100 million passwords per
second. Every year that number goes up. Moore’s Lawsays that, on
average, computing speed doubles every 18 months, so in 2015 the speed
will probably be 400 million passwords per second.
Exam Question 348(p.357): What is Moore’s Law?
Acceptable Answer:Computing speed doubles every 18 months.
Of course, this assumes the hacker has your hash, and can do the cracking
offline. If not, each guess takes much longer.
Let’s assume we have a computer capable of 100 million guesses per second.
Using lower-case letters, we have 26 choices per character.
lower-case letters time to crack
1 260 billionths of a second
2 6.7 millionths of a second
3 175 millionths of a second
4 4.5 thousandths of a second
5 118 thousandths of a second
6 3 seconds
7 80 seconds
8 35 minutes
9 15 hours
10 16 days
11 1.1 years
12 30 yearsAnd remember that every 18 months, those times are cut in half due to
Moore’s Law.
What if we use a bigger variety of characters in our password? It really
helps.
Using letters (26 lower, 26 upper), digits (10), and special characters (maybe
around 30), we have about 100 choices per character.