Password security is a much discussed topic, as weak passwords are often chosen out of convenience. In this article we want to show what financial resources your password should be able to withstand if an attacker tries to figure it out by trying all possible means (so-called brute force attack).
The following table shows the monetary effort required to break the given password complexity with an offline brute force attack by simple trial and error. Very secure passwords cannot be cracked with all the money in the world.
|#||Numbers||Lowercase||Mixed Case||Mixed Case + Numbers||Mixed Case + Numbers + Special|
|1||0 $||0 $||0 $||0 $||0 $|
|2||0 $||0 $||0 $||0 $||0 $|
|3||0 $||0 $||0 $||0 $||0 $|
|4||0 $||0 $||0 $||0 $||0 $|
|5||0 $||0 $||0 $||0 $||0 $|
|6||0 $||0 $||0 $||0 $||0 $|
|7||0 $||0 $||0 $||2 $||10 $|
|8||0 $||0 $||6 $||155 $||965 $|
|9||0 $||1 $||315 $||12,118 $||94,536 $|
|10||0 $||16 $||16,391 $||945,165 $||9.3 M$|
|11||0 $||416 $||852,312 $||73.7 M$||907.9 M$|
|12||0 $||10,820 $||44.3 M$||6 B$||89 B$|
|13||1 $||281,330 $||2 B$||449 B$||8.7 T$|
|14||11 $||7.3 M$||120 B$||34 T$||854 T$|
|15||113 $||190.2 M$||6.2 T$||-||-|
|16||1,134 $||5 B$||324 T$||-||-|
|17||11,339 $||129 B$||-||-||-|
|18||113,387 $||3.3 T$||-||-||-|
|19||1,1 M$||86 T$||-||-||-|
The chosen representation does not include the time needed, as this can lose its validity through parallelization, but rather the expected costs should an attacker crack your password using Amazon's cloud platform. The underlying equation was created based on the price of an Amazon EC2 instance (p3.16xlarge - 8xNVIDIA Tesla V100 GPUs) and the use of the SHA256 hash algorithm. Not included are volume discounts, self operation of the hardware, as well as Moore's law and inflation or deflation by central banks.
A secure password that is easy to remember
An important but largely unknown basic rule: length before complexity. In theory, the length of the password is more important than its complexity, but simple word repetitions or strings such as "qwertzuiopü123" should not be used, as these can be more easily cracked with special lists in a dictionary attack.
We recommend a password that consists of at least 5 words and whose first letter is capitalized. The length of each word should be at least 4 characters. Special characters and numbers are not required, as the underlying key space is already large enough.
For 5 words with a minimum length of 4 characters, the minimum key space is 2.08E+34, which is a number with 34 zeros, so even the richest man in the world would have no way to get your password by trial and error. Provided you use a long password, special characters and numbers are not needed for a secure password!
Avoid multiple use
Also the multiple use of passwords is often problematic, because by tapping the password of one service, other services can be infiltrated. An individual password should be chosen for each service, so that if the data of a service is lost, the remaining access data remains secure. The control of security and the correct encryption is always the responsibility of the respective service, whose security level cannot be directly influenced by the user. For example, some platforms use insecure hash functions or even store passwords in plain text. For this reason, a new password should be chosen for each service to protect against data leaks and subsequent misuse by third parties. It happens again and again that databases are leaked and published by large platforms, so the threat is real.
Use Password Manager
The problem of choosing a new password for each service is not easy, as people are forgetful and the number of services is constantly increasing. This problem can be solved with the use of a password manager, because only one master password has to be remembered, with which the randomly chosen password for each service is decrypted. These programs work cross-platform so that mobile devices or tablets can also be used with the password manager.
The two-factor authentication is an additional authentication method to the password. Here, an additional "secret" is generated on an isolated device such as a mobile device. If an attacker can crack the password and circumvent it, he cannot gain access to the respective service because he does not have the "secret" on the external device.