Brute Force Attack is the most widely known password cracking method.
This attack simply tries to use every possible character combination as
a password. To recover a one-character password it is enough to try 26
combinations (‘a’ to ‘z’). It is guaranteed that you will find the password..
but when? How long will it take? The two-character password will require
26*26=676 combinations. The number of possible combinations (and therefore
required time) grows rapidly as the length of the password increases and
this method quickly becomes useless. Do you ready to wait for two months
while your 9-character password is cracked? What about one hundred years
for an 11-character password? Besides the maximal length of the character
set you should also specify the character set i.e. the list of characters
that will be included in the combinations. The longer the character set
is, the longer the required period of time is. Here is the problem: usually
you have no idea of what characters are present in the password. On the
one hand, you should specify all possible characters. On the other hand,
this can slow things down very much. Unfortunately, there are no common
ways to determine what character set to use. It is more a question of
luck and intuition. The only thing I can recommend is to begin with trying
short passwords using the full character set. Then you can increase the
length of password simultaneously decreasing the character set to keep
the required time good acceptable.
If the password is case sensitive (this is the most common situation),
there is another problem with the case.
There are three options:
1) you can assume that the password was typed in lower case (this is
most likely). In this case, the required time will stay the same but if
the password contains upper case letters it will not be recovered.
2) you can try all combinations.
The password is guaranteed to be found, but the process slows down significantly.
A 7-character lower case password requires about 4 hours to be recovered
but if you would like to try all combinations of upper case and lower
case letters, it will require 23 days. 3) The third method is trade-off.
Only the most probable combinations are taken into consideration, for
example "password", "PASSWORD" and "Password". The complicated combinations
like "pAssWOrD" are not. In this particular case the process slows down
to one third of original speed but there is still a possibility to fail.
You can reduce the amount of time required using faster computers (only
the CPU speed is important. The amount of RAM, the performance of the
hard drive and other hardware don’t affect the brute force speed), using
several computers, choosing the fastest password crackers or tuning the
brute force parameters wisely and accurately.
The table below shows the time required for Brute Force Attack depending
on the password length and used character set. It is assumed that the
attack is carried out on a single computer and the brute force speed is
500 000 passwords per second.
| Length of the password |
Character set |
| lowercase letters |
lowercase letters and digits |
Both lowercase and uppercase
letters |
all printable ASCII characters |
| < = 4 |
instant |
2 min |
| 5 |
instant |
2 min |
12 min |
4 hours |
| 6 |
10 min |
72 min |
10 hours |
18 days |
| 7 |
4 hours |
43 hours |
23 days |
4 years |
| 8 |
4 days |
65 days |
3 years |
463 years |
| 9 |
4 months |
6 years |
178 years |
44530 years |
|
Bear in mind that the time shown above is the worst possible time. Brute
Force Attack tries all password combinations and you don’t know which
one of them is correct. If you’re lucky enough, the first combination
will succeed. If not, the correct combination will be tried last.
If you are not afraid of formulas: the required
time is equal to (C^L) / S / N, where C is the length of the character
set, L is the length of the password, S is the number of password checked
per second, and N is the number of computers used in password recovery.
