Once Again, Most Folks Have it Backwards

In a discussion of password security, someone brought up a website listing the time to search the entire password space under different sets of circumstances. This is a ridiculous way to work with password security: it ignores that half of all passwords will get cracked in half the time.

So what’s the right way to go about talking about how secure a password is against a brute force attack? It’s the following formula (written in LaTeX notation):

$ L \ge \lceil\log_{n}\[\frac{B \times T}{P}\]\rceil$

where `n’ is the number of charaters in the password alphabet (10 for using only 0-9, 64 for using uppercase + lowercase +0-9, etc), `B’ is the number of tries per second, `T’ is the number of seconds in the time period we want to have a certain level of confidence the password WON’T get hacked in time `T’, and `P’ is the probability of guessing correctly in time `T’. Oh, `L’ is the minimum number of characters you’ll need assuming you’re using a `good’ pseudo-random password generator.

As an aside, this also assumes the attacker isn’t trying to simultaneously use this password with X valid usernames, just yours 🙂

EDIT: So I did the math myself for a password to have a guess probability of 0.0001 for 50 years made of uppercase letters, lowercase letters, and numbers. Oh, 1 Trillion guesses per second. Answer: 14 characters. If we just take numbers we’d need 26 to cover us for 50 years given those parameters. If we use all 96 letters, numbers, and symbols on a standard English keyboard we could keep a password secure at the aforementioned guess probability over a 50 year period with 1 Quadrillion (10^15) guesses per second with 15 characters. Just for fun: 1 Trillion/sec and 0.001 and a one year life span with a 64 character alphabet: 13. Let’s face it: Your passwords need to be at least 13 characters long if they change once per year, and at least 16 if they never change (barring crazy technology advances). 20 characters becomes necessary if you want a password to stay safe at the 0.001 level despite 50 years of concerted attempts (10^27 of the per second, no less) to crack it.

EDIT #2: I’d try to make the formula come out in LaTeX except I can’t seem to get it to parse . . .


About this entry