Brute-force attacks

Brute force attacks are carried out by hackers who try to crack a password by simply trying out different combinations of characters in quick succession. The algorithm is very simple and is limited to trying out as many character combinations as possible, which is why it is also called "exhaustive search". The attacker usually uses a high-performance computer, which performs a great deal of calculations per second and accordingly can test out a high number of combinations in the shortest possible time.

The method is often used successfully in practice, as many users use short passwords, which often consist only of the letters of the alphabet, drastically reducing the number of possible combinations and making guessing easier.

Decryption of passwords

The Projekt RC5-72 the organization Distributed.net shows how fast passwords can be decrypted. The aim of the project is the decryption of a message, which was encrypted with a 72-bit key. For this purpose, all possible keys are tried out until the appropriate key is found. Since several users make their computer capacities available for this project, currently (as of May 8, 2012) more than 800 billion keys per second can be generated. Older projects in this organization cracked a 56-bit key within 250 days and a 64-bit key within 1,757 days.

Combination and length of the password

Some examples of calculation will illustrate the interaction of length and used characters for the security of a password. In the calculation examples, a generation of 2 billion keys per second is expected, since this corresponds approximately to the speed of a very strong single computer.

When creating a password, the following characters are usually available:

  • Numbers (10 different: 0-9)
  • Letters (52 different: AZ and az)
  • Special characters (32 different).

The number of possible combinations is calculated using the following formula:

Possible combinations = possible number of charactersPassword length

This results in the following calculation examples without considering other factors such as dictionary attacks::

Password consists of Possible combinations Time required to decrypt

5 characters
(3 lowercase letters,
2 numbers)

365= 60,466,176

60,466,176 /
2,000,000,000 =
0.03 seconds

7 characters
(1 capital letter,
6 lowercase letters)

527= 1,028,071,702,528

1,028,071,702,528 /  
2,000,000,000 =
514 Seconds =
approx. 9 minutes

8 characters
(4 lowercase letters,
2 special characters,
2 numbers)

688= 457,163,239,653,376

457,163,239,653,376 /
2,000,000,000 =
228,581 Seconds =
approx. 2.6 days

9 characters
(2 uppercase letters,
3 lowercase letters,
2 numbers,
2 special characters)

949= 572,994,802,228,616,704

572,994,802,228,616,704 /
2,000,000,000 =
286,497,401 Seconds =
approx. 9.1 years

12 characters
(3 uppercase letters,
4 lowercase letters,
3 special characters,
2 numbers)

9412= 475,920,314,814,253,376,475,136

475,920,314,814,253,376,475,136 /
2,000,000,000 =
237,960,157,407,127 Seconds =
approx. 7.5 million years

You can see very clearly the impact of the length of the password and the use of different character groups on the security of a password.

Protection against brute-force attacks

The only way you can defend against brute-force attacks is to use a complex master password that is long enough and made up of a combination of letters, special characters, numbers, and upper / lower case consists. The more complex and longer your password is, the lower the likelihood that the software used will "guess" your chosen combination by chance, as you can see from the calculation examples above.

When you create a new password in Password Depot or have it generated automatically using the Password Generator, you will see how long it would take to crack that password. Password Depot not only considers the above factors, such as the number of characters, but also other vulnerabilities, such as vulnerability to dictionary attacks.

Another way to make brute-force attacks more difficult is to lengthen the time between two login attempts (after entering a password incorrectly). As a result, the hacker's high-performance computer can be slowed down despite the numerous calculations per second that it would theoretically be capable of. That's why in Password Depot the master password dialog box is locked for a few seconds if you enter an incorrect master password. The more often one after the other a wrong password is entered, the longer this waiting time becomes.