Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

With email turning 40 years old recently we though it was a good time to visit ‘password length’ and how choosing one factor above all can make the difference in your online security for you and your organization.

There are very few applications left that require short eight character passwords (known as legacy apps) so you should be thinking of different ways to create and recall your passwords. There are several methods I have heard over the years and whichever method or combinations you choose to employ, security experts all agree, length is the most important one of all  (at least that what the ladies are saying :-))

I wanted to show how anyone who plays games on a computer can use that graphics card to guess your password. Typically it is the main Central Processing Unit (CPU) that is responsible for the ‘heavy lifting’ in your computer but for our purposes we need a Graphics Processing Unit (GPU) to do the tedious task of computing.

Now typically password guessing has involved a wordlist, a list of common passwords that is used to compare against what your password *might* be. This was necessary because of the permutations of each place holder. If we wanted to check every combination of upper case, lower case, number or special character in each of the 6 positions it would take an enormous amount of time. You could thwart the risk of someone guessing your password with a good password rotation policy but as processor power increased this is quickly becoming a concern.

      Here we show how fast we can brute force any password to a length of 6 characters. This is the default password length of a windows password. In as little as 2 minutes someone with about a $1000.00 computer can crack your password files on your computer or in your organization.

Here we see how easy it is for that same person to try every possible combination of characters if you change the minimum length to 7.

In as little as 3 1/2 hours we can use the power of a single video card to examine every combination of characters you can possible use to create a password of 7 characters or less.

How about 8 characters? This same user would take approx. 2 days to try all possible passwords and compare them with the password file that stores your hashes. All anyone needs to do is run a tool on your computer or on your domain controller to exfiltrate your password hashes and they can use the power of the GPU to guess your passwords. How about 9 characters? Well the amount of time it takes for a single medium priced GPU to tackle 9 characters is quite high (almost 4 years). So why not just make the minimum length of passwords to be 9 characters? Well these results were derived using a single $400.00 video card. We can buy a more expensive card and increase our processing power another 20%. We could even buy a more expensive computer that is capable of running 4 or even 8 video cards in the same system! A machine like this would probably reduce the amount of time it takes to brute force 10 character passwords to a few hours (this is an estimate – YMMV).

The days of simple dictionary passwords may not be here anymore and you might feel that it is impossible to remember all of these long passwords so I wanted to point out a few methods you should adopt that can help you. I hope I have shown you how trivial it is to guess your password and failure to adopt a longer password could result in compromise of your accounts. All it would take for a hacker to get access to your information is to use a ‘free’ wifi hotspot and your computer could be owned.

1. Use a longer password – add dots, dashes, your phone number, anything that will take your password length beyond 12 character Security professionals have forecasted that 12 characters is the minimum length we should be using with todays technology.

2. Use an online password manager – these systems can generate random passwords of various lengths and you only need to remember one password (the password to log you in).

If you are interested in finding out just how easy it could be to guess your current password you can visit https://www.grc.com/haystack.htm