One thing humans have an incredibly difficult time visualizing is huge numbers. For example, most of have a horrible time conceptualizing number like a trillion.

When dealing with passwords, one way we have of measuring a password’s strength is to look at its keyspace. The keyspace is based on how many different types of characters you used to the power of how long the password is.

Now a US English keyboard has keys representing 95 different characters. We break these down into four character sets: lowercase letters, uppercase letters, number, and symbols. Many password policies require at least three or sometimes four of these character sets. If you were to create a password that consisted of all four character types and that is 8 characters long, assuming you use a totally random password, it may look something like this: 5bV&y6mA

The keyspace for a password like this would be 958 or 6,634,204,312,890,620 (about 6.6 quadrillion) possible passwords that you could be yours.

Of course, visualizing a quadrillion is extremely difficult. You could go to this page to visualize a trillion and then imagine the bottom picture 6,634 times. Or you could look at this visualization of a quadrillion pennies and imagine 6.6 of those. Or you could use my favorite and imagine your password as a single grain of sand among 6,907 semi truck trailers full of sand (your web browser may not like this one). Either way, the numbers we are talking about are unimaginably huge.

However, we could also look at it the other way and visualize how many passwords per second a password cracker can test. Currently, a single GPU-based password cracker using a high-end video card can crack up to 11 billion passwords per second. How big is 11 billion? Consider that there have been an estimated 106 billion people who have ever lived on the earth.

And 11 billion per second means 660 billion passwords per minute and 3.6 trillion passwords per hour. In a single 24 hour period this means it could burn its way through almost a quadrillion passwords.

On average a password cracker will guess any particular password halfway through the keyspace. That means a password cracker will, on average, again assuming you are using a totally random password, find that single grain of sand in 6,907 semi truck trailers full of sand in just over 3 days!

In other words, despite the massive numbers involved with random passwords, even an 8-character password that was considered sufficient 10 years ago is by no means safe. And if you are one of the 90% of the people out there using a weak password, your password will most likely be cracked in a matter of minutes.

Fortunately, the math behind password strength works in our favor. By adding just a few more characters to the password length you are creating passwords that are billions of times stronger. For example, consider a 12-character totally random password that uses all four character sets. In this case the keyspace grows to 95^12 or 540,360,087,662,637,000,000,000 possible passwords.

Remember those 6,907 semi trucks full of sand analogy above? In this case image that page opened in 562,582,079,815 different browser tabs. Each semi truck filled with grains of sand and your password is just one of those.

And how long would it take a GPU-based cracker to find this password? On average it would take 284,280,394 (4,373,544 years!).

So while GPU-based passwords are incredibly powerful today, we still have the upper hand by making our passwords just a little bit longer.



Yubikey Token        LastPass password manager