Profile picture
Robᵉʳᵗ Graham @ErrataRob
, 20 tweets, 4 min read Read on Twitter
1/ I want to discuss this question because it's a good example of trying to come up with simple answers for complex questions. The question has no answer -- but we still must answer it.
2/ What the questioner is probably looking for is some benchmarks, like this page that shows a computer full of GPUs can crack Windows passwords at a rate of 350 billion guesses per second:
gist.github.com/epixoip/a83d38…
3/ So given this speed, how long will it take to guess a bad password? It depends upon what you mean by "guess" and "bad". If by "guess" you mean "brute force all combinations", and "bad" you mean "8 alphabetic letters or less", it's 2/3rds of a second.
4/ But we don't brute-force. Instead, we maintain databases of over 100-million passwords people have chosen in the past. Chances are good (50%?) that whatever "bad" password you have is already in this "dictionary" list of known passwords.
5/ Even the simplest computer, like a mobile phone or Raspberry Pi can do this "dictionary" search nearly instantaneously.
6/ If that doesn't get the password, then we'll try a "mutated dictionary" attack, where we make minor variations on that huge list, like adding '1' to the end, or change 'a' to '@'. This gets a many/most of the remaining uncracked passwords.
7/ For the remaining passwords, we'll try a "Markov chain" attack, which tries common combinations of characters first. People choose '1' for a password much more often than '2', so the Markov chain is faster than brute-force.
8/ In the end, if the password still remains uncracked, we'll throw brute-force at it. The issue here is that the problem is EXPONENTIAL. I use scary caps because people really don't understand what this means.
9/ If a brute force attempt can crack all 8 character passwords in 1 day, how long will it take to crack 9 character passwords? Well, if we are looking at just lower case, then that means 26 days. For 10 chars, that's 26*26 or 676 days.
10/ Thus the problem quickly escapes you, going from a day to a month to two years. If we are using upper and lower case, numbers, and symbols, the difference for adding one character lead to a roughly 90-fold increase in the time it takes.
11/ I graph the exponential growth in the following graph. I'm showing here the difference between using a desktop computer, a GPU accelerator, and a supercomputer (a thousand Amazon AWS instances). A 90-fold increase in computer power cracks only an additional character
12/ What exponential graphs should impress upon you is that there is only a small difference between what password a Raspberry Pi can crack vs. a password an NSA supercomputer can crack.
13/ So what does all this mean for how quickly a bad password can be guessed? I don't know. But we still must answer the question. WPA, for example, requires a minimum length of 8 characters. Forcing this minimum length on users makes it really hard to crack in practice.
14/ Now let's talk about the difference between "online" and "offline" cracking. The original question is in terms of "guessing" passwords, but is unclear what that means. Are they guessing them by trying to login to Facebook?
15/ The above discussion was offline cracking, where they steal the "encrypted" passwords after hacking into a website, and a free to crack that encryption as fast as they can. But trying to log in to a website is different: the site detects the attempts after only a few.
16/ In such cases, even bad passwords will protect you. They'll still take millions/billions of attempts to guess, but the website locks them out before they can guess 10 passwords.
17/ In such cases, your biggest threat isn't whether your password is "bad" but whether you've "reused" it. What happens is hackers break into weak sites, grab the usernames/passwords, and try them out against strong sites like Twitter and Facebook.
18/ Go to haveibeenpwned.com and check your email address to see how often hackers have stolen your password from a weak site. It's almost certainly many times.
19/ In the end, whether your password is "bad" or "weak" doesn't really matter. It's something that security people claim because they cast the problem in terms of being morally weak and that you can secure yourself by being "strong".
20/ What is important is that you don't reuse passwords for sites you care about. I have one password for all the sites I don't care about, but my GMail and banking passwords are unique, complex, and written down.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵉʳᵗ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!