Password Strength: How Fast Can Hackers Crack Your Password?

Security researchers talk about a passwordless eutopia for the future, but we’re not there yet. Till we arrive, here are some quick tips to make sure your online accounts remain secure.

First let’s talk about how quickly weak passwords can be broken: very fast.

Passwords can be cracked faster than this chart indicates if you are a high value target and your attacker has a budget. This chart represents the amount of time it takes a threat actor to break your password under common conditions with easily found modern hardware.

“My passwords fall under the weak category? Should I use a password manager to beef them up?”

How many online accounts do you have? 30? 40? 200? And does each and every one of them have a truly unique password (not just minor variations) that consists of numbers, upper/lowercase letters, and symbols? I’m sure there are people with extraordinary memories for whom this would be effortless, but I’m just not one of them. That is exactly why I use a password manager. All of my passwords look like this:

xbH9,uJ6gnGza6%n]lvyrQIjwnP)

I also often times see people using password managers to store passwords that they themselves have created. I ask you, “whyyyyyyy?” Your password manager provides you with a random password generator, so use that instead, and increase the security of your passwords with effortless ease!

“If I can remember my password, is it secure?”

Obviously, there are some passwords that you’ll need to remember by heart (like the one that unlocks your password manager). To make your passwords easy to remember, but hard to crack, use a “passphrase.” This Xkcd comic is on the older side when passwords were less easily cracked. Today, you’ll want to make sure you’re using a number, upper/lowercase letter, and symbol in your password. Regardless, the logic is easy to follow: there is no need to make hard to remember passwords, just hard to crack passwords. So make the passwords you do need to remember long and strong. 18 characters and up is a good starting point for non-randomly generated passphrases.

“Have some of my old passwords been leaked in a data breach? Is reusing a password a bad idea?”

Is the Pope catholic? Is the sun bright? Is Mount Everest tall? The answer is yes to all of the above. Data breaches happen all the time. All you can do is hope that the leaked data that contained your password was hashed (encrypted) and salted (not the kind that goes on popcorn) so that your encrypted password isn’t easily cracked by the attacker.

This is exactly why you don’t reuse a password. If your leaked password is reused, any other account which uses this password, or any similar password, should also be considered compromised. It’s called “credential stuffing” when a hacker takes leaked account credentials and uses them to break into other accounts.

Credential stuffing takes only a bit of knowledge, and zero skill. All you need is a leaked password database and malicious intent. Then the attacker takes passwords associated with you and uses them to login to various accounts that you might posses, and boom, an attacker can easily gain access to your sensitive information.

“Is there an easy way to check if I’ve been a part of any breaches?”

You are asking some great questions today. Are you secretly a very talented, yet undiscovered podcast interviewer? My favorite and most trusted website to check if account information has been leaked in a data breach is Have I been Pwned. Have I Been Pwned is a website run by the renowned security researcher Troy Hunt, and references data from stolen data breaches found publicly on the darkweb. This data only represents known data breaches, so don’t be surprised if your data has been leaked, and that leak is not publicly known. This is why it’s important to always use unique passwords, regardless of your status on Have I Been Pwned.

“Is there anything else I can do to prevent my accounts from being compromised?”

You’re darn right there is. Two-Factor Authentication (2FA). I am a 2FAngelist. Is that a word? 2FA and evangelist? Whatever the case, that’s me. Even if a hacker knows your password, starts to log in, and clears the password entry page, enforcing 2FA on your account can stop a hacker in their tracks. Microsoft reports that enforcing 2FA stops 99.9% of all account attempt takeovers. And Microsoft knows about fraudulent sign-ins because their services experiences 300,000,000 fraudulent sign-in attempts every day.

SO YES. PLEASE. USE. 2FA.

Lastly, not all types of 2FA are created equal. SMS based (a text to your cell phone) is the least secure form of 2FA. Try to avoid SMS based 2FA where ever possible (you can read my blog post on “SIM jacking” to find out why). The most secure form of 2FA is something like a FIDO2 hardware key, which not only provides a second factor of authentication, but is also phishing resistant. In the middle is app based authentication, such as Google Authenticator, or Microsoft Authenticator.

To recap: 

• Use a password manager and a random password generator to store your random and unique passwords.

• If you need to remember password (such as the one that unlocks your password manager), use numbers, upper/lowercase letters and symbols. Make sure the password is long; ideally 18 characters or longer (size does matter).

• Head over to Have I Been Pwned to find out what I already know: that your email of 10 years has been apart of like 5 breaches.

• Even when your password has been compromised, adding 2FA to your account can still stop a hacker. 2FA should be turned on for at least your most important accounts. Be Co enforces 2FA on every account where it is possible by policy.

Still have questions?

Call, email, or book an appointment with me. I would love to chat with you about your password management strategy.