Why an 8-Character Password is No Longer Long Enough

Passwords need to be unique and complex to resist brute force attacks by cybercriminals,  but how long does it take a hacker to guess a password? Even if the password is complex if it does not contain enough characters it can be guessed in seconds. 

Why Complex Passwords are Required

When passwords are required, there are usually policies applied that require passwords to contain a minimum number of characters and meet minimum complexity requirements. That usually means the password must be a minimum of 8 characters and should contain at least one upper- and lower-case letter, a number, and a symbol.

There is a very good reason for enforcing those complexity requirements. The latest graphics processing technology makes short work of guessing passwords, and even relatively short complex passwords can be correctly guessed in a very short space of time. Using the latest technology, a 6-character password could be cracked instantly, regardless of whether it contains upper- and lower-case letters, numbers, and symbols.

According to a recent report published by cybersecurity firm Hive Systems, even 8-character passwords could be cracked quickly. An 8-character password that consists only of numbers or lower-case letters could be cracked instantly, and if the password contained a mix of upper- and lower-case letters it would only take around 2 minutes to correctly guess. If numbers are used in addition to upper- and lower-case letters, the password could be cracked in 7 minutes, and add in symbols and it would take just 39 minutes to guess an 8-character password.

How Long Does it Take a Hacker to Guess a Password?

In a recently revised table, which takes into account advances in graphics processing technology, Hive Systems shows how long it would take a hacker to brute force a password. The table clearly demonstrates not only the importance of ensuring passwords are sufficiently complex, but also ensuring they are sufficiently long. The difference in time to crack a complex password increases substantially with each extra character: 31 seconds for 7 characters, 39 minutes for 8 characters, 2 days for 9 characters, 5 months for 10 characters, and 34 years for 11!

How Long Does it Take a Hacker to Guess a Password

How Long Does it Take a Hacker to Guess a Password – Source: Hive Systems

These times assume a hacker is using the latest and most powerful GPU. While these are expensive – upwards of $1,500 – a hacker does not necessarily need to purchase the hardware, as it is easy and relatively cheap to rent the hardware. Hackers could use the cloud and rent powerful computers and graphics hardware through Amazon AWS, for example, and could easily use multiple virtual machines simultaneously for password cracking.

Use a Password Manager to Generate and Store Your Passwords

There is a problem with setting long and unique passwords for all accounts. They are virtually impossible to remember. The solution is to use a password manager. A password manager can be used to generate a strong, random, and unique password for all accounts, and those passwords will be encrypted and stored in the user’s password vault. They will be auto-filled whenever they are needed, and there is no need to remember the passwords. All that is required is one strong password for the user’s password vault.

The best option to make that password memorable is to make up a long passphrase. If that passphrase is 15 characters and includes upper- and lower-case letters, numbers, and symbols, it would take a hacker a billion years to guess it.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news