Phone 13 UBER (13 8237)

13 UBER (13 8237)

Help Me


How long will it take a hacker to crack your password?

By | May 3, 2011

How would you feel if someone broke into your e-mail or modified your website because your password was easily guessed?  Imagine all the hassle and inconvenience of getting your website back up and working, or, in the worst case scenario, having to cancel your credit cards and other important information.  This would prove an expensive undertaking, in terms of both time and money. However, it can be easily avoided by choosing a secure password.

As you can see, the importance of having a strong password cannot be stressed enough, and there are two main ways to make your passwords more secure.

Firstly, you can make your password as long as possible. As you can see in the graph below, the difference between 7 and 9 character passwords is substantial.

Secondly, you can use a combination of upper-case and lower-case letters, and numbers and symbols. A lot of people prefer to use simple words, names or places, but these can be easy to guess. It might help you to make up a story that corresponds with your password. For example, ‘Jane climbed a money tree on 27 Victoria st!’  Could help you remember the password ‘Jca$to27Vs!’.

To see how small changes in the number and type of characters used in your password will help to keep it secure, take a look at the below graph. Summarised from a article, it stipulates how much time it will take a hacker’s computer to randomly crack your password.


  1. Jarrod says:

    I completely agree with everything, except the time estimations taken in order to break a password. As technology advances it not only allows us to become more secure, it also opens up more ways for people to break that security.

    10 minutes for length 6 lowercase is probably accurate using a fairly outdated cpu, but these days on a couple of mid range graphics cards that attack would be completed in the blink of an eye. With that in mind, the whole range of length 8 lowercase + digits only takes around half an hour, length 9 about a day, and length 10 less than a couple of weeks. Anything around length 8 or more with a symbol added in definitely makes things much more harder.

    These times are for passwords which are stored in the well known md5 hash, which is probably fairly outdated now but still widely used. With a couple of graphics cards breaking an md5 hash through a brute force attack can hit speeds of 8 billion attempts per second.

    With that said most forums (Invision, phpbb) and content management systems (Drupal, Joomla, WordPress) these days use salted hashes, which is basically a piece of random data added to the encrypted password hash that greatly slows down the attack speed. These make brute force attacks extremely impractical, which is why there are a wide range of tricks available to attackers to speed up the process.

    Everyone has undoubtedly heard of the popular “dictionary attack”, whereby an attacker tries to find a users password using a list which more or less contains every word in the dictionary. At first you may think something along the lines of “well if I add a number or symbol into my word, that will prevent that”. In general that will not be the case, there are a wide range of attacks which can use the dictionary list and manipulate it, for example the word “professional” could be used to found a variation of Pr0f3$$ion4L as a password. Lower case letters can be flipped to upper, letters replaced with numbers, words appended or prepended with numbers, letters or symbols.

    It is good to be aware of the various attacks used when breaking passwords, in order to help protect yourself when creating one.

  2. Thanks for the info Jarrod! So you’re saying words are out for sure, but maybe a random sequence that represents a whole sentence is more secure? That’s why I used the example “‘Jane climbed a money tree on 27 Victoria st!’ to help you remember the password Jca$to27Vs!”. And the longer the better is always good advice. How long would you recommend?

  3. Jarrod says:

    Yeah words are a bad idea, random sequences are much better. Length 9 or so should be pretty good if it is random, along the lines of the nice example you provided above. The mnemonic is a really good way to aid in remembering those passwords which appear to be random.

  4. David says:

    It is a good example but since another of your tips is change it regularly, these complex sentence reminders are impractical. One compromise is to use a base phrase as per your example and add the first 2 letters of the month to it. Then when you change your password update the month letters.

  5. David says:

    Another useful idea is to choose a core phrase and then add the first letter of the site you are using it on and the last letter of the site to the end. Whatever your system it needs to include all the types of characters, be changeable but remember-able(?) …. We all have hundreds of passwords these days.

    Last pass is an interesting service too for cloud password management.

  6. Thanks for the extra tips David! I definitely think having a base password that only changes slightly eack month is a good way to go. With my work login I do this and then add some numbers to the end which I change whenever it makes me update my password 😀

  7. Hughesey says:

    Unfortunately now everybody knows that Heather! Makes cracking your password that little bit easier :P.

  8. Haha touche Hughesey! Maybe I’ll start updating the base password with a number AND some symbols AND the designer of the pair of shoes I am coveting that month (that is something no geek will ever guess) 😛

Leave a Reply