Secure passwords are random strings of letters (both upper case and lower case), numbers, and special symbols. Rather than simply using a dictionary word.
All passwords should be stored as a hash, so that nobody with access to the database they are stored in can simply see all the plain text passwords.
The advantage is that a totally random password can only be broken by a brute force method, which means a program has to generate random strings and create the hash for that string, and compare it to what is in the database. Once it finds something that matches, that is the password.
On a powerful computer, a well written program can run through around 17 billion different generations, hashes and checks per hour. (2 * (2^33))
The longer the password is, the longer it takes to crack the password via the brute force method. See below for examples.
Upper or Lower Case Only
| No. Characters | 1 Compter | 100 Computers | 1,000 Computers (small botnet) |
|---|---|---|---|
| 8 | 6.08 hours | 0.06 hours | 0.006 hours |
| 10 | 4,108.5 hours | 41.085 hours | 4.1084 hours |
| 12 | 2,777,348.18 hours | 27,773.48 hours | 2,777.35 hours |
Mixed Case and Numbers
| No. Characters | 1 Compter | 100 Computers | 1,000 Computers (small botnet) |
|---|---|---|---|
| 8 | 6,354.53 hours | 63.55 hours | 6.35 hours |
| 10 | 24,426,826.45 hours | 244,268.26 hours | 24,426.83 hours |
| 12 | 93,896,720,861.02 hours | 938,967,208.61 hours | 93,896,720.86 hours |
Mixed Case, Numbers and Special Symbols
| No. Characters | 1 Compter | 1,000 Computers | 100,000 Computers |
|---|---|---|---|
| 8 | 177,407.91 hours | 177.41 hours | 1.77 hours |
| 10 | 1,567,576,296.21 hours | 1,567,576.30 hours | 15,675.76 hours |
| 12 | 13,851,104,153,269.40 hours | 13,851,104,153.27 hours | 138,511,041.53 hours |
As you can see, not only is the character space (upper case/lower
case/numbers/symbols) important, but also string length. e.g. an 8 character,
totally random string using mixed case, numbers and symbols could be cracked in
less than two hours on a larger botnet, and it is likely that the person
stealing this information has access to something like this, but for a 12
character string, this would take over 15,800 years on a 100,000 computer
botnet.
p.s. A 32 character mixed case, numbers and sybol password would take upto
45,839,513,591,436,800,000,000,000,000,000,000,000,000 years on 100,000,000 (100 million) computers,
to brute force which is one-million-trillion-trillion times longer than the universe has existed.