All Random Characters
Password attacking is not as hard as some Security Officers imply. Besides your standard dictionary attack there are letter generators. Which, people used to fool themselves into thinking were to slow.
A 3 character password will be cracked within 262,144 tries or less.
A 4 character password will be cracked within 16,777,216 tries or less.
A 5 character password will be cracked within 268,435,456 tries or less.
A 6 character password will be cracked within 4,294,967,296 tries or less.
A 7 character password will be cracked within 274,877,906,944 tries or less.
And based upon Microsoft's and industry standards the 8 character password as they suggest can be cracked within 17,592,186,044,416 tries or less.
Now unfortunately, too many systems do not lock a users account after 2 or more failed login attempts. Which means, a hacker who is willing to do a random password generator will be able to find a 6 or less character password within a week - going totally undetected. 274 Trillion or 17.6 Quadrillion attempts will take much longer.
So exactly how long would this really take? Assuming that my last try will be the first match on an account... 11,295 attempts took my system 60 minutes over the Internet using one of my T1 connections - and that was "taking my time" to go undetected. Getting a little more aggressive I could push 20,876 attempts in 60 minutes, only running about 20% of a single T1.
At 20,876 attempts an hour, I could crack any and all passwords which are 6 or less characters in a server in 205,737 hours (or 8,572 days). Which is why people get the false sense of security. My testing shows that within the first 30 days of running I cracked even the most complex passwords. And it could be done without anyone really taking notice. If I am willing to max out the T1, and design this to run a few hundred threads - that huge 8,572 days becomes 1714.4 days or less to crack ANYONE's 6 character password.
Random Letter Results
- Based upon 64 character possibilities to define a possible range.
A 3 character password will be cracked within 262,144 tries or less.
A 4 character password will be cracked within 16,777,216 tries or less.
A 5 character password will be cracked within 268,435,456 tries or less.
A 6 character password will be cracked within 4,294,967,296 tries or less.
A 7 character password will be cracked within 274,877,906,944 tries or less.
And based upon Microsoft's and industry standards the 8 character password as they suggest can be cracked within 17,592,186,044,416 tries or less.
Now unfortunately, too many systems do not lock a users account after 2 or more failed login attempts. Which means, a hacker who is willing to do a random password generator will be able to find a 6 or less character password within a week - going totally undetected. 274 Trillion or 17.6 Quadrillion attempts will take much longer.
So exactly how long would this really take? Assuming that my last try will be the first match on an account... 11,295 attempts took my system 60 minutes over the Internet using one of my T1 connections - and that was "taking my time" to go undetected. Getting a little more aggressive I could push 20,876 attempts in 60 minutes, only running about 20% of a single T1.
At 20,876 attempts an hour, I could crack any and all passwords which are 6 or less characters in a server in 205,737 hours (or 8,572 days). Which is why people get the false sense of security. My testing shows that within the first 30 days of running I cracked even the most complex passwords. And it could be done without anyone really taking notice. If I am willing to max out the T1, and design this to run a few hundred threads - that huge 8,572 days becomes 1714.4 days or less to crack ANYONE's 6 character password.