I mostly agree with Dvorak’s Permanence of Posting Online, but I take serious, serious issue with what he says in that piece about passwords.
Dvorak: The processing power of a Core i7 by itself is enough to crack almost any password whatsoever. Within minutes.
This is true for short passwords under conditions where you can see the password hash, such as when you’re busting into a server that you have physical access to, or busting wi-fi passwords. Longer, more complex passwords, under those conditions, take longer than minutes to bust. And when you can’t see the hash, it takes longer.
So under ideal conditions, he’s almost right. But conditions aren’t always ideal, and you can make them a lot less ideal.
Dvorak: And the nonsense about making sure to use a number and symbol and enough letters is all bull.
This is where Dvorak, with all due respect, doesn’t know what he’s talking about. I have successfully cracked 8-character simple (alphabetic) passwords in less than 30 minutes even with P4-era CPUs. But even 8-character passwords containing numbers and symbols take much longer than that to crack. Even with a fast CPU.
I can only guess that he’s saying symbols and numbers don’t work because people using passwords based on street addresses, say, 1600Jefferson, and even 1600Jefferson! or 1600s.Jefferson!, are getting busted routinely. They check out as strong passwords, but they’re too predictable. An attacker can just write a script that cycles through common street names, tacks numbers in front, and optionally tacks common punctuation marks on the end, and tries them all in sequence. Those passwords are less secure than something like 16!.Jeff would be, even though the latter is shorter.
But mathematically speaking, busting nonsensical and even near-nonsensical passwords takes considerable time. Simple math tells all you need to know. I quit taking math classes after the required College Algebra and Elementary Statistics, and I understand this math. With a simple 6-character, all-lowercase password, there are only approximately 300 million possible passwords. By increasing the character set and length, you dramatically increase the number of possible passwords the attacker has to compute and compare. Double the length to 12 and add uppercase letters, numbers, and symbols to the mix, and the number of possible passwords soars to 94^12: 475,920,314,814,253,000,000,000. Jump to 16 characters, and you’re up to 94^16, which is 37,157,429,083,410,100,000,000,000,000,000 possible passwords. It just so happens that I talked about the math in more depth just yesterday over at Rabbit-Hole.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.