Password Win Sweepstakes

Boost your password strength, win an Ultrabook.

My first password that I used to use for everything when I first started with the interwebs:

It would take about 20.747611666666668 minutes to ■■■■■ your password.

My password that has variations for each service that I use that doesn’t demand good security, for example impulsive sign-ups on sites where you also use a 10 minute e-mail:

It would take about 3 days to ■■■■■ your password.
It would take about 2 years to ■■■■■ your password.
from shortest to so far longest variation.

My password with variations for each service with added security which also variates for each service:

It would take about 5772396 years to ■■■■■ your password.
It would take about 1500823093 years to ■■■■■ your password.

My password with variations for the services where I need the most secure password (only have one so far):

It would take about 31341248102602994000 years to ■■■■■ your password.

But then again, these numbers get smaller for every year.

I only wonder, how do they calculate this? With what estimated passwords per second and based on what technology? Is it based on the average home processor? Is it based on the average single GPU GPGPU? Is it based on a cluster of many many GPGPU solutions? Is it based on supercomputers? I am not interested in how long it would take the average script kiddie to get my password, I’m interested in how long it would take for NSA or any other such organization.

Oh also I only wrote my results here since I thought it was fun and I’m not eligible to enter the thingy since I don’t live in the USA.

Good questions. I would guess it’s based on super computers .

Not that you shouldn’t have a secure password for more data sensitive websites like banking, but don’t most banking sites have sign in attempt limits anyway? Mine locks you out after 3 wrong attempts. Even sites that don’t they would be limited by the web server. How many servers would allow 100,000 password attempts per second? It’s just not realistic.

In the article they complain about the site not having HTTPS but when I visit it I get a HTTPS page, otherwise I wouldn’t have used it. Also I did use my password but the variations was made up so it was only half the password that was used for any real service so if someone would get my input on that site they still wouldn’t be able to access anything of mine.

Like I thought with the actual calculations, they seem to be sort of random, a longer more complicated password was said to be faster than a shorter and less complicated one, one which would be broken by a dictionary attack too. I don’t have the passwords here now since it was a few hours since I wrote them in.

A better way to calculate a brute force attack would in my opinion be the highest known passwords per second and then also calculate at how many passwords that one would show up (since brute force attack follows a pattern, right?) and then calculate the time it would take to get to that position using the passwords per second discussed above, at least that’s what I am interested in.

But then again, most passwords are crackable under 1 second… keyloggers etc :wink:

I don’t think it’s based on a brute force attack, It’s dictionary based. I could be absolutely wrong but maybe they have a machine(s) like this building lists of random characters and commonly used words based on the number of characters. Building and saving lists for future attacks. If I had that kind of free processor power it would make sense. It’s maybe why random password strings seem to be stronger. If I use a string like my birthday + my grandmothers name + plus my zip code + the year of my birth that’s truly random and seems to be stronger. Who knows. :slight_smile: