How Long Does It Take for a Hacker to Get Your Password?

Hi guys

I'm no computer genius and thought this to be quite interesting and useful

The short answer: it depends, but very quickly if your password is weak. - If your password is eight characters long and all lower-case, like “password,” it would take a hacker 3.5 minutes to guess it. - Changing one of those lowercase characters to an uppercase character, like “Password,” means it would take him almost 15 hours. - Replacing any letter with a special character and keeping the uppercase character, like “P@ssword,” means it would take the hacker 70 days to guess your password. - If you added a single character to “P@ssword” to form “P@ssword1” it would take the hacker 18 years to guess the password. - If you added two characters to “P@ssword,” to form “P@ssword11” it would take the hacker 1,707 years to guess the password. So on and so forth until you arrive at some astronomical numbers. See the table below:

This is the table, sorry the image didn't come out smaller but there is an explanation if you scroll past it





LC being lower case
UC being upper case
Digits being numbers
SC being special characters that require shift E.G. $,%,*,_,+,!,",£ etc.

That's kind of hard to follow but the best I co

The article goes on to say

Note the bottom right corner of the table. If your password is 12 characters long, contains uppercase and lowercase characters, a digit and a special character it may take over 15 million years for a hacker to guess your password. This is the simple math behind blanket recommendations to increase your password complexity. NOTE: The math in the above assumes the hacker is randomly generating password guesses.

So if you are using password as your password I suggest changing
Same goes for incorrect.

You can read the article HERE It explains the maths behind a good online password.

Cody

Id say this also depends on the hacker having access to the system that stores your passwords to access the password files.

I don't know of any place that allows unlimited attempts at entering your password before it locks you out.

Having the hashed password files would be certainly required for this to be a worry for the average user.

But good advice on the complexity of what your password should be. having seen plenty of leaked passwords from times gone by, it's so insane how many people use simple phrases and dictionary words, or.. password it self.

it depends too I guess, I never really used my yahoo email account I had set up from years back, and then I got bounced fail messages to the alternative address I'd set up with it, and realised it had been hacked. Awesome yahoo.. Oo

my only concern was wondering how many services I'd used the same password on at the time. lol. Brain like a sieve, if I don't have it written down - and I don't - then I need to know it.. and I even forget phone numbers unless I can remember the pattern on the key pad.

Hackers it is my understanding, use back doors through things like Java and Flash. Many programmers make a backdoor when they build software, hackers are often programmers and exploit this. Not saying they also don't try to hack passwords.

All of this assumes the system you are logging in to will allow for a brute force password hack. Most systems do not allow for this and will lock the account down after a set amount of failed attempts.

In a situation where brute force is an option, the time it would take depends a lot on the program the hacker is using and what kind of processing power they have at their disposal.

IMO the password is only part of what you need to keep in mind when making sure your accounts are secure. In my line of work i see more instances of accounts getting compromised due to weak password reset options than weak passwords. Having an easily guessable secret question will cause your account to be stolen much faster than having a weak password. Something like a pet's name for example, a brief look at someones facebook page could likely allow someone to determine that answer

I also see situations where multiple accounts are daisy chained together. For example, you set up an email address as a back up to an account, then another email as a back up to that account. This can continue is some cases between many different email address. All it takes in that situation is for someone to get in to any one of those accounts and they can now get in to all of them.

The key for account security is to have a strong password, a secret question that is not easily guessable, and having a closed loops with your back up emails.

It may sound like a lot of effort to keep your accounts in order, but once you get in the correct habits, its not that much effort at all. Definitely a lot less effort than trying to recover a stolen account and fix whatever havoc was cause.

DC

Cracking passwords is a combination of art and science. The above stats seem to address the science part of the game... that is to say using a brute force password cracker against a completely unknown password scheme by using a predefined dictionary and predefined modifiers ( All dictionary words plus all dictionary words interspersed with cardinal numbers - which would likely be 1-10 plus all years since say 1950 until now )

This does not address the art aspect of the game.

Most people tend to use passwords that they can easily remember... things that have meaning in their own lives. Kids names, birthdates, pets names, streets they live on, spouses name, hobbies, favorite bands, favorite movies, and so forth. For example a big Star Wars fan might use the password "BobaFett". Because this Star Wars fan has read articles like this one - he might have appended his password to "BobaFett1".

Now if we are a person interested in accessing dear Mr BobaFett1's account - we might start by Googling him and reading his social networking site posts, his blog entries, his listed email addresses, etc.

We would research him a bit and glean all we could from the public domain... then we could create a brute force list that is very, very specific to Mr BobaFett1. Even a moderately skilled person should be able to locate a phone number, home address, potentially previous addresses, spouses name, kids names... and with some work.. birthdates for any or all. In our quest for info we've found that Mr BobaFett loves Star Wars... so we are armed to include, in our brute force dictionary, all Star Wars specific names - coupled with our choice of numeric modifiers.

Long story short? As long as we haven't tried to crack anything that has limited password attempts? We're into Mr Fetts information within 15-30 minutes.

If this happens to be his web based email account we might have just hit the jackpot - as many people store those "Thanks for joining... your username and password are" messages we get whenever we sign up for stuff.

There are password solutions that make it very, very difficult for ne'er do wells to get entry into your accounts - though none are fool proof. If skilled and well equipped people ( Big Brother ) want into your accounts... they will get in if they want to badly enough, The best trick for the average PC user is simply to not be lazy. Do NOT create passwords with the priority that they are easy to remember... choose them with the priority that they are totally difficult to break. Something random, with numbers, symbols, and letters ( case included ) all randomized.

Ask Mr Fett... his bank account emptied one day and now his password is !Hb@IyJ8Gf9#. He gets irked every single time he's got to find his notepad just to log in... but his bank account balance has been stable for months now.

reply to post by Hefficide


ditto.

It also depends physical access.
If someone has physical access to your machine at home, or whichever machine you use, they don't need to know the password to gain access to everything on the machine. They can simply change it as an Admin, or view everything they want with Admin privs.

Also of concern is social engineering. Hacking/compromising/exploiting machines is one tactic, where 'hacking' the person that's using the system is sometimes easier. Manipulate someone with valid security credentials on the inside of a security domain to think they're being helpful, put them in a position of learned helplessness, or leverage any other social strategy, and you will then 'own' that network.

Often enough the human element is the softest and easiest point of entry into any security domain.

Example:
Hacker - (calling someone inside security domain pretending to be an authority figure) "Hi, we're seeing some strange traffic and packet flow over here in IT coming from your machine and were wondering if you could help us out by shutting down your machine and changing your domain password? Your account might be compromised by a hacker and we'd like to fix that by getting you a stronger password. Don't worry, I'll be here to walk you through the process of changing your password".

Originally posted by winofiend
Id say this also depends on the hacker having access to the system that stores your passwords to access the password files.

I don't know of any place that allows unlimited attempts at entering your password before it locks you out.

Having the hashed password files would be certainly required for this to be a worry for the average user.

But good advice on the complexity of what your password should be. having seen plenty of leaked passwords from times gone by, it's so insane how many people use simple phrases and dictionary words, or.. password it self.

it depends too I guess, I never really used my yahoo email account I had set up from years back, and then I got bounced fail messages to the alternative address I'd set up with it, and realised it had been hacked. Awesome yahoo.. Oo

my only concern was wondering how many services I'd used the same password on at the time. lol. Brain like a sieve, if I don't have it written down - and I don't - then I need to know it.. and I even forget phone numbers unless I can remember the pattern on the key pad.

I have to go on record to say that Yahoo is the worst email ever. I had an account that got hacked. I get so many hacked fail messages from various Yahoo users that I have blocked the entire domain on my email system for work.

Generally the most common way for brute forcing is to use other exploits to get hold of the username/password file so that you can do stuff at your leisure, now there are many ways to store a password such as plain text(seriously a no no) followed by various generation mechanisms like SHA1,MD5 etc with MD5 being the oldest in general use

Now when brute forcing a password its common to try various tricks, any password under 6-8 characters will probably fall to a simple bit of GPU crunching in a few minutes to an hour at which point those with small character size password will be dust and probably the hacker will have 40-50% of the passwords and with each method they employ such as dictionary with letter swap with numbers etc they'll probably be knocking off a good percentage

now you can crack 30billion passwords a second with serious 4xGPU power on a password encrypted using MD5 and i bet the guys at GCHQ/NSA have rigs that piddle on that from a serious height

There are also other problems with using hashes of passwords such as collisions where 2 different passwords produce the same hash so while you don't know the original password you can still login

and don't forget the time they say is the theoretical time that if your password is the last combination to be done it would of taken them that amount of time but with todays massive parallel systems the ability to reduce the time taken will drop as everytime the number of GPU's doubles the time basically halves and as they're cramming in more per card and making them faster it won't be long until the spooks will probably be able to decode your password overnight no matter the size of the password

reply to post by cody599

It is actually much worse than most imagine. Hackers grab the hashed password and then use programs capable of 4 billion crack attempts per second to test every single written word in more than 20 languages with every possible special character substitution and mixed case (look=l00k=l@@k, etc.).

Your example of "P@ssword" now takes less than 24 hours to crack and not 70 days.

Fight back with long pass-phrases using more than 15 characters containing non-words, mixed case, numbers, and special characters.

How Secure is My Password

Best regards,
Chris

If your password is encrypted using an MD5 hash then White Pixel will probably find it...its up to 33.1 billion hashes a second and i can imagine that given a NSA cheque book and some serious time (build me a data centre to house this mega f----er) its pretty much game over for any encrypted password as these days brute force is worth doing again due to the parallel computational power that can now be done

But against more humble people like the average hacker who does have a budget passwords can still be strong enough to bore them into looking for fresh idiots, if your password will survive a day on a rig with a standard GPU against most common attacks then it'll be fine as they'll have enough idiots logins to keep em busy

things to be aware of which can help hackers are sites posting their min-max password lengths, what characters are allowed in the password field etc as if they know the max size of a password is 14 characters and it cannot include any special characters they'll adjust their attacks to limit the max password length and possible key combinations meaning they'll actually crack stuff faster than they would of done normally as they would have to assume an 256 char password and all the extra special characters