I really really really hope this is a spoof but is it? Can American Express really be saying that a short letter only password of at most length 8 is better than a longer one using special characters?
It reminds me of my university days, back before we all had home computers. We were advised to pick a password that meant something to us and was easy to remember. My friend cracked mine in a matter of minutes and then found it hilarious to wreak havoc with what I was doing. It seems that just allowing letters is really encouraging people to use easy passwords.
Just how silly is this?
Letters only, length 8
With just upper and lower case letters, there are52 + 522 + 523 + 524 + 525 + 526+ 527 + 528which is about 5.5 x 1013 passwords.
= 52(52^8-1)/(52-1)
= 54 507 958 502 660,
Letters, numbers, special characters, length 8
Using all upper and lower characters, numbers and special characters (96 in all), the number of 8 character passwords jumps to96 + 962 + 963 + 964 + 965 + 966+ 967 + 968that is about 7.2 x 1015, which is 100 times more than for the letter only passwords.
= 96(96^8-1)/(96-1)
=7 289 831 534 994 528,
Letters, numbers, special characters, length 12
If we allow passwords of up to length 12, the number jumps to96(96^12-1)/(96-1) which is about 6.2 x 1023 passwords.
Cracking Times
So in the worse case it is going to take a brute force attack 10 billion times longer, to crack a password of up to length 12 using all special characters, letters and numbers than it is to crack a letter only password of length 8.Using a brute force attack (and that is the slowest method of attack), at 1 billion checks per second, (supercomputer in 2009 [1]), in the worse case scenario, this would take 15 hours, 84 days, and 20 million years respectively.
In November 2010, using brute force, 14 passwords of length at most 6 using all characters were cracked in 49 minutes using Amazon EC2.[2] There are 7.9 billion such passwords, which is 100 times fewer than for letter only length 8 passwords, so just for comparison, we could say it would take about 49/14*100 minutes, that is 6 hours, to crack one of these type of passwords.
So what can we say? Length really does matter!
No comments:
Post a Comment