CHAPTER 24. PASSWORD RECOMMENDATIONS 235
totally-random characters time to crack
1 1 millionth of a second
2 1 / 10,000 of a second
3 1 / 100 of a second
4 1 second
5 1.6 minutes
6 2.7 hours
7 3.7 months
8 30 yearsAnd that is just with a single desktop computer. Imagine if they had a
bot-net of zombie computers all working together. Of course, you and I are
not worth the effort, but cracking an administrator password to a major
website could be.
http://en.wikipedia.org/wiki/Botnet shows that in 2009 there were
millions of computers in some bot nets.
totally-random characters botnet time to crack
8 14 minutes
9 1 day
10 3 years
11 300 yearsHow many characters do you want in your password? 12 is really considered
to be a minimum for anything you really want to protect.
24.3 Common Passwords
Over time hackers have developed lists ofcommon passwords. Hackers
will try these first before going to brute force. This is called adictionary
attack. Type “common passwords” into a web search engine for an eye-
opening experience.
The dictionary attack is probably the best approach for a hacker that does
not have your hash, since there are many fewer words in the dictionary than
there are random letter combinations.
http://blog.eset.com/2012/06/07/passwords-and-pins-the-worst-choices
lists these passwords as its top ten: password, 123456, 12345678, 1234, qw-
erty, 12345, dragon, pussy, baseball, football.
http://mashable.com/2011/11/17/worst-internet-passwords/lists these