How I'd Hack Your Weak Passwords

**Xiphos** · 03-30-10, 08:21 PM

Not very long and worth every word. Read it through and fix your passwords!

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it's just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

The whole article: The Easy, Any-Browser, Any-OS Password Solution - Security - Lifehacker

**MacLean** · 03-30-10, 09:42 PM

Good reminder.

**TXCharlie** · 03-30-10, 10:05 PM

That's why systems like Microsoft Windows are rather slow in responding or allowing you to enter another password when you enter a bad password, and locks you out for 5 or 10 minutes sometimes when you enter too many wrong passwords, depanding on how it's configured..

If a hacker's cracker program can try 1000 passwords a second and finally find it on the millionth try, then that's only 16 minutes - But if the system only allows him to enter one password per second and locks you out for 5 minutes on every 3rd password attempt, it would take him over 3 years to automatically input a million passwords

Unfortunately some of those viruses can get around the operating system's time delay by hitting the password store directly and testing new passwords at thousands of times per second, in which case 16 minutes might do it - Then they secretly call home over the Internet and send either the solution or the encrypted password data for the hacker to try to crack on his own PC.

The thing is, when those viruses infect thousands of computers and they all try to crack, say, a banking web site, they can probably eventually do it if the network people don't respond to all the bells and whistles that will go off - But those network guys in the pony tails and sandals are pretty passionate about responding to repeated password attempts, so they start blocking IP numbers just as rapidly when they see a pattern.