Passwords, a comparison

[Michi]

After watching a documentation about how much times it takes for Pros to crack a password I asked ChatGPT the below questions:
(the provided password I invented )


Original Question: How long would a brute-force attack on a password "mlUk55ai249" take?

First Response: The duration of a brute-force attack on a password depends on several factors, including the length and complexity of the password, as well as the speed of the attacker's system. Let's analyze your password "mlUk55ai249":

Length: 10 characters
Character set: Lowercase letters (26), uppercase letters (26), digits (10)
The combined character set has 26 + 26 + 10 = 62 possible characters.

The total number of possible passwords of this length is 62^10. This is a very large number:

62^10 ≈ 8.39 × 10^17 possible combinations

The time a brute-force attack would take depends on how fast the attacker can test passwords. Assuming the attacker can test 1 billion (10^9) passwords per second, the time in seconds to test all possible combinations would be:

8.39 × 10^17 / 10^9 = 8.39 × 10^8 seconds

Converted into:

Minutes: 8.39 × 10^8 / 60 ≈ 1.40 × 10^7
Hours: 1.40 × 10^7 / 60 ≈ 2.33 × 10^5
Days: 2.33 × 10^5 / 24 ≈ 9713
Years: 9713 / 365 ≈ 26.6
Therefore, a brute-force attack on the password "mlUk55ai249" at a rate of 1 billion passwords per second would take about 26.6 years.

Second Question: What if the above password contained an exclamation mark instead of the letter "i"?

Second Response: If the password "mlUk55ai249" instead had an exclamation mark, becoming "mlUk55a!249", the character set would include an additional special character. Let's update the calculations accordingly:

Length: 10 characters
Character set: Lowercase letters (26), uppercase letters (26), digits (10), special characters (1, in this case, only the exclamation mark)
The combined character set now has 26 + 26 + 10 + 1 = 63 possible characters.

The total number of possible passwords remains similar 63^10.

With a rate of 1 billion passwords per second, the time required for a brute-force attack would also be approximately 26.6 years, showing minimal change due to the addition of a special character.

Third Question: What if the above password was only 8 characters long with one special character?

Third Response: If the password were 8 characters long with one of those characters being a special character, such as "mlUk5!a2":

Length: 8 characters
Character set: Lowercase letters (26), uppercase letters (26), digits (10), special characters (1)
The combined character set has 26 + 26 + 10 + 1 = 63 possible characters.

The total number of possible passwords of this length is 63^8 ≈ 2.18 × 10^14.

At a rate of 1 billion passwords per second, the time required to brute-force such a password would be:

2.18 × 10^14 / 10^9 = 2.18 × 10^5 seconds

Converted into:

Minutes: 2.18 × 10^5 / 60 ≈ 3.63 × 10^3
Hours: 3.63 × 10^3 / 60 ≈ 60.5
Days: 60.5 / 24 ≈ 2.52
Thus, a brute-force attack on an 8-character password like "mlUk5!a2" would take about 2.52 days at a rate of 1 billion passwords per second.

Fourth Question: A forensic expert cracked it in 2.5 minutes. How long would he need for the initially mentioned password?

Fourth Response: If a forensic expert can crack an 8-character password in 2.5 minutes, we calculate the rate at which he tests passwords per second:

Time for the 8-character password: 2.5 minutes = 150 seconds
Number of passwords tested per second for the 8-character password: 1 / 150 passwords per second
Now, we calculate the time the forensic expert would need to crack the 10-character password "mlUk55ai249":

Number of possible combinations for the 10-character password: 62^10
Time in seconds for the 10-character password: 62^10 / (1 / 150) = 150 × 62^10
Calculating this:

62^10 ≈ 8.39 × 10^17

150 × 8.39 × 10^17 ≈ 1.26 × 10^20 seconds

Now, converting this into years:

1.26 × 10^20 / (60 × 60 × 24 × 365) ≈ 4.0 × 10^12 years

This means the forensic expert would need approximately 4.0 × 10^12 years to crack the password "mlUk55ai249" at the same rate as the 8-character password. Such an enormous span underscores why longer and more complex passwords significantly enhance security against brute-force attacks.

Fifth Question: How would the time change for an 11-character password?

Fifth Response: To calculate the time for an 11-character password, such as "mlUk55ai249x", we first determine the number of possible combinations and then consider the rate at which the forensic expert can test passwords per second.

Length: 11 characters
Character set: Lowercase letters (26), uppercase letters (26), digits (10), special characters (1)
The combined character set has 26 + 26 + 10 + 1 = 63 possible characters.

The total number of possible passwords of this length is 63^11 ≈ 5.74 × 10^20.

Assuming the forensic expert can test passwords at a rate of 1 / 150 passwords per second:

5.74 × 10^20 / 150 ≈ 3.83 × 10^18 seconds

Converted into:

Minutes: 3.83 × 10^18 / 60 ≈ 6.39 × 10^16
Hours: 6.39 × 10^16 / 60 ≈ 1.07 × 10^15
Days: 1.07 × 10^15 / 24 ≈ 4.48 × 10^13
Years: 4.48 × 10^13 / 365 ≈ 1.23 × 10^11
Therefore, a brute-force attack on an 11-character password like "mlUk55ai249x" at a rate of 1 / 150 passwords per second would take approximately 123 billion years.

This calculation demonstrates the vast differences in time required to crack longer passwords, even at relatively high testing rates. It underscores the importance of using longer passwords to enhance security.

-----------------------------------------------------------------------------------------------------------------------------------

But hackers don't have to rely on cracking passwords only.
They may just get yours from a compromised site.
Thus - changing passwords from time to time helps and check your's at: https://haveibeenpwned.com/Passwords

See also: https://projectavalon.net/forum4/sho...light=password

[Rawhide68]

Maybe not soon, or soon, who knows? They are going to get thoughts from your mind, and if they are mind readers like 1984 or Brave new world we are all fkd!

[Open Minded Dude]

I wonder how long will it take for a brute-force attacker to crack the password I take for most of my services and sites:

password