How Much Does It Cost to Crack Your Password?
It is important to know what monetary effort is required to crack a password and how it should be chosen simply and securely.
Foreword
Password security is a much discussed topic, as weak passwords are often chosen out of convenience. In this article we want to show what financial resources your password should be able to withstand if an attacker tries to crack it by systematically trying every possible combination (a so-called brute force attack).
The following table shows the monetary effort required to break the given password complexity with an offline brute force attack by simple trial and error. Very secure passwords cannot be cracked with all the money in the world.
| # | Numbers | Lowercase | Mixed Case | Mixed Case + Numbers | Mixed Case + Numbers + Special |
|---|---|---|---|---|---|
| 1 | 0 $ | 0 $ | 0 $ | 0 $ | 0 $ |
| 2 | 0 $ | 0 $ | 0 $ | 0 $ | 0 $ |
| 3 | 0 $ | 0 $ | 0 $ | 0 $ | 0 $ |
| 4 | 0 $ | 0 $ | 0 $ | 0 $ | 0 $ |
| 5 | 0 $ | 0 $ | 0 $ | 0 $ | 0 $ |
| 6 | 0 $ | 0 $ | 0 $ | 0 $ | 0 $ |
| 7 | 0 $ | 0 $ | 0 $ | 2 $ | 10 $ |
| 8 | 0 $ | 0 $ | 6 $ | 155 $ | 965 $ |
| 9 | 0 $ | 1 $ | 315 $ | 12,118 $ | 94,536 $ |
| 10 | 0 $ | 16 $ | 16,391 $ | 945,165 $ | 9.3 M$ |
| 11 | 0 $ | 416 $ | 852,312 $ | 73.7 M$ | 907.9 M$ |
| 12 | 0 $ | 10,820 $ | 44.3 M$ | 6 B$ | 89 B$ |
| 13 | 1 $ | 281,330 $ | 2 B$ | 449 B$ | 8.7 T$ |
| 14 | 11 $ | 7.3 M$ | 120 B$ | 34 T$ | 854 T$ |
| 15 | 113 $ | 190.2 M$ | 6.2 T$ | - | - |
| 16 | 1,134 $ | 5 B$ | 324 T$ | - | - |
| 17 | 11,339 $ | 129 B$ | - | - | - |
| 18 | 113,387 $ | 3.3 T$ | - | - | - |
| 19 | 1.1 M$ | 86 T$ | - | - | - |
| 20 | 11.3 M$ | - | - | - | - |
The table shows expected costs rather than time, since time estimates can become misleading due to parallelization. The costs assume an attacker cracking your password using Amazon's cloud platform. The underlying equation was created based on the price of an Amazon EC2 instance (p3.16xlarge - 8xNVIDIA Tesla V100 GPUs) and the use of the SHA256 hash algorithm. This does not account for volume discounts, self-hosted hardware, Moore's law, or inflation and deflation driven by central banks.
A Secure Password That Is Easy to Remember
An important but largely unknown basic rule: length before complexity. In theory, the length of the password is more important than its complexity, but simple word repetitions or strings such as "qwertzuiopü123" should not be used, as these can be more easily cracked with special lists in a dictionary attack.
We recommend a password that consists of at least 5 words and whose first letter is capitalized. The length of each word should be at least 4 characters. Special characters and numbers are not required, as the underlying key space is already large enough.
For 5 words with a minimum length of 4 characters, the minimum key space is 2.08E+34, which is a 35-digit number, so even the richest man in the world would have no way to get your password by trial and error. Provided you use a long password, special characters and numbers are not needed for a secure password!
Avoid Reusing Passwords
Reusing passwords across multiple services is also a common problem, because if an attacker obtains the password for one service, they can use it to access others. You should choose a unique password for each service, so that if one service is compromised, the rest of your accounts remain secure. Security and proper encryption are always the responsibility of the service provider, and users have no direct control over how well their passwords are protected. Some platforms still use insecure hash functions or even store passwords in plain text. This is why you should use a different password for each service -- to protect yourself against data leaks and subsequent misuse by third parties. Database breaches at major platforms happen regularly, so the threat is very real.
Use a Password Manager
Choosing a unique password for every service is no easy task, since people are forgetful and the number of services keeps growing. A password manager solves this problem: you only need to remember one secure master password, and the manager generates and stores strong, random passwords for each service. These programs work cross-platform, so you can use them on mobile devices and tablets as well. A comparison of password managers from the NYT.
Two-Factor Authentication
Two-factor authentication is an additional layer of security on top of your password. It works by generating a secondary "secret" on a separate device, such as your phone. Even if an attacker manages to crack your password, they still cannot access the service because they do not possess the "secret" on the external device. A comprehensive article from us about 2FA.