Go to the Kaspersky Secure Password Check website (password.kaspersky.com) and there is a box into which you can enter a password. Although this is a secure website using https and it is run by a security company, you shouldn’t use any real passwords. Instead, use a similar one or try to think of a new password that you might use.
After entering your password, it is analysed and the site tells you how long it would take to guess using a brute force method. The password I entered was created by tapping six random letters on the keyboard. I didn’t look what it was and it didn’t make a word, but Kaspersky said it would take as little as three hours to crack it.
The brute force method of cracking passwords is to simply try random combinations of letters or dictionary words, or words with a number or two tacked onto the end. It tries combination after combination and computers can work so quickly that it can basically try enough combinations to guess the right one in three hours.
It gets worse. Scroll down the page a bit and it tells you how long different computers would take. A typical home computer (an Apple MacBook is quoted, but it could just as easily be a Windows PC), would take three hours, but the Conficker botnet is clearly a clever malware program and it would take just one second!
Presumably it would do this by combining the computing power of hundreds or thousands of infected computers.
It is quite difficult to think of secure passwords and hitting random keys is one way. Six letters is not sufficiently secure and is too easily cracked. Adding a seventh letter increases the time to two days, an eighth increases it to 12 days, nine characters jumps to four months and ten characters to four years.
Every character you add significantly increases the security of the password. It can also be improved by including upper and lowercase letters, and made even better by adding symbols like !, #, % and others.
The problem is trying to remember what you typed. It is impossible. One way is to open Notepad and type random characters into it to create the password, then copy it and paste it into the password box. You obviously need to store that password somewhere so you don’t forget it.
A password manager or password generator solves the problem and the best tools can detect when passwords are required on web pages and then automatically suggest them. Here is LastPass. Clicking the button displays a drop-down panel with a suitably complex password and clicking Use Password will store it and the website in LastPass, so you don’t need to remember it.
So how did LastPass do? Inserting the password into the box showed it to be pretty good and it would take a home computer four centuries to guess.
Brute force methods of guessing passwords by trying thousands of combinations of letters, words and numbers, doesn’t actually work. At least it shouldn’t. Any half decent security system would count the number of times a password was entered incorrectly and either temporarily or permanently lock you out if there were too many.
You might only get three chances to guess the password and then you have to wait 10 minutes to an hour before you can try again. For this reason it is probably best taking those cracking times with a big pinch of salt.
No matter how powerful the computer or malware, if it only gets three guesses before an account is locked then it won’t be able to guess even an easy password. That isn’t an excuse for using a simple one and this password checker is still useful because it shows the difference between weak and strong passwords and the time it takes to crack them, theoretically, with no limit on the number of tries.