2010-02-03, 05:03 AM
Kortestanov Wrote:Even if database leaks are the cause of it, a 12 char password isn't needed:
The speed of md5 hash cracking via GPU acceleration is about 1 billion hashes per second.
The amount of possible passwords for a N chars long password (assuming the hacker doesn't know that it's N chars long and starts from the minimum, 4): for (i=4 to N) { keyspace P i }
keyspace is 62 for lowcase letters, highcase letters and numbers, and 72-80 if you add the signs (depending on which signs do you count in the calculation).
I took a keyspace of 72 letters, meaning a password with low and high case letters, numbers and simple signs. The number of possible passwords for only a 9 char password is about 3.13 * 10^16. divide that by a billion (10^9), you get about 3.13 * 10^7, meaning 31,300,000 seconds to crack the password. Thats almost a year. No one is going to waste that much time on cracking a password.
I'm not sure what your exposure unit is, is it 1 billion hashes per computer or organized network or what? Let's just say you're right 72^9/10^9 = time to crack a specific passsword, which is around 520 million second (not sure where you get 3.13e16 at), translated to 1.65 years. You're forgetting the fact that they have more than one specific target. If passwords are uniformally and identically distributed and say 2000 users have 9-letter long passwords, so divide that by 2000 and you get 7.22 hours per successful crack. Suddenly it doesn't look as nice. You can also argue that my method will incorporate multiple checkings so in the end it's still as many comparisons as like targetting one target, but using quicksort or whatever efficient method, you can end up with log n or less comparsions instead of n. (Let's say log 2000/log 2) = 11, multiply this to 7.22 hours and you get 79.42 hours, I sure wouldn't feel safe. But each subsequent letter will increase the average crack time by 72x of previous.
10-letter -> 238.26 days
11-letter -> 47 years
12-letter -> 3384 years
Bottom-line is, it's 'safer' to have longer passwords and what's stopping you to having them? An old guildmate of mine is presumed hacked as well just today and she hasn't logged on for 7 or 8 months now.

