If your password is “123456” or “pass“, the time needed to calculate and crack it during a ‘brute force attack’ is so small that can be set to instant. On the contrary, by counting as a password with a text string like ‘¡3lP4ter_Br4un!‘, we could force the attacker’s system to calculate alternatives for 2,000 million years.
We can know this thanks to a table that has been circulating for years on the Internet (with some small variations) and that shows approximations of the time it could take to calculate passwords depending on the number of characters used (between 3 and 18), whether they contain only numbers, only uppercase or lowercase letters, both combined, or all of the above combined with symbols. The first published version of this table is the following:
A predecessor of this chart (not yet color coded) was first published in “Troubleshooting Windows 7 Inside Out”, a 2010 book written by Mike Halsey (Microsoft MVP) and according to the same author recognized two years later, the data comes from the website HowSecureIsMyPassword.net, a site that has now been transferred to Security.org, and that allows us to enter passwords so that it shows us an estimate of the time it would take to break them >.
It takes less and less to break passwords
Both the boxes in the table and the results of the aforementioned website assign a color code to each type of password that indicates to what extent it is optimal in relation to time… although it is advisable to make a clarification: if you see periods of time in yellow that are greater than others marked in green, it is because the possible future evolution of the hardware is taken into account, which theoretically could shorten the calculation of a certain value within a few years. password time to make them unsuitable for our long-term security.
Bitwarden and three other free password managers to replace Lastpass and 1Password
Do you remember the password of the 2,000 million years that we proposed in the first paragraph? In the 2012 version of the table, a duration of 97,000 million years was calculated. Halsey himself —who points to Moore’s Law and the generalization of GPUs as being responsible for the change— recounts that, between the publication of the book and the colored version of the table, a password that took 2.25 years to deciphering had been done in just 57 days.
Obviously, no figure measured in “millions of years” represents a security problem, but what is relevant is that they indicate a constant acceleration of the technologies that allow cracking passwords. At that rate, will we keep all our passwords safe when what they store has lost its value?