The optimal length and composition of the password
Introduction
Against the background of numerous posts about passwords, I decided to do a little research.
Currently, password protection is the most common and, unfortunately, the most unreliable method of protection. There are many articles on the topic “How to make a strong password”, but I haven’t met any articles that provide real data on the strength of passwords.
')
The study assesses the reliability of passwords to resist brute force attacks. The most effective method of brute force in the search for passwords for hash functions is the compilation of rainbow tables.
Calculations are carried out for the three hash functions md5, sha1 and sha2 (modification sha512). The data on collisions in these hash functions are not taken into account, as from a practical point of view they will not help in real password selection, and there are no open implementations of worthy software. The study involved passwords with a length of 7, 8, 10 and 12 characters of three different alphabets.
For clarity, the results provide data on the number of passwords, the amount of disk space for storing rainbow tables, and the estimated time to build rainbow tables.
Tools.
- Computer with a Pentium 4 2.6 GHz processor and 512 MB RAM;
- The winrtgen utility, which is part of Cain & Abel;
Intermediate calculations.
The number of combinations of passwords is (the number of characters in the alphabet) ^ (the number of characters in the password)
The study involved 3 alphabets:
- A1 = {abcdefghijklmnopqrstuvwxyz0123456789} 36 characters
- A2 = {abcdefghijklmnopqrstuvwxyz0123456789! @ # $% ^ & * () -_ + = "} 51 characters
- A3 = {abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789! @ # $% ^ & * () -_ + =} 77 characters
- A4 = {0123456789} 10 characters
Results.
For the alphabet A1
| No | Number of characters | Hash algorithm | Disk space | Counting time |
| one | 7 | md5 | 2.98 GB | 5 days |
| 2 | eight | md5 | 89.4 GB | 159 days |
| 3 | ten | md5 | 113,249 GB | 661.5 years |
| four | 12 | md5 | 178 754 329 GB | 1.19851e + 006 years |
| five | 7 | sha1 | 2.98 GB | 7 days |
| 6 | eight | sha1 | 89.4 GB | 230 days |
| 7 | ten | sha1 | 113,249 GB | 918 years old |
| eight | 12 | sha1 | 178 754 329 GB | 1,58632e + 006 years |
| 9 | 7 | sha512 | 2.98 GB | 16 days |
| ten | eight | sha512 | 89.4 GB | 1.4 years |
| eleven | ten | sha512 | 113,249 GB | 1905 years |
| 12 | 12 | sha512 | 178 754 329 GB | 3.1438e + 006 |
For alphabet A2
| No | Number of characters | Hash algorithm | Disk space | Counting time |
| one | 7 | md5 | 232.5 GB | 1 year |
| 2 | eight | md5 | 17,881.4 GB | 90.2 years |
| 3 | ten | md5 | 77,486,038.2 GB | 462539 years old |
| four | 12 | md5 | - | - |
| five | 7 | sha1 | 232.5 GB | 1.6 years |
| 6 | eight | sha1 | 17,881.4 GB | 129 years |
| 7 | ten | sha1 | 77,486,038.2 GB | 638089 years old |
| eight | 12 | sha1 | - | - |
| 9 | 7 | sha512 | 232.5 GB | 3.54 years |
| ten | eight | sha512 | 17,881.4 GB | 286.5 years |
| eleven | ten | sha512 | 77,486,038.2 GB | 1.33807e + 006 years |
| 12 | 12 | sha512 | - | - |
For alphabet A3
| No | Number of characters | Hash algorithm | Disk space | Counting time |
| one | 7 | md5 | 596 GB | 2.73 years |
| 2 | eight | md5 | 41,723 GB | 206 years |
| 3 | ten | md5 | 238,418 579 GB | 1,38521e + 006 years |
| four | 12 | md5 | - | - |
| five | 7 | sha1 | 596 GB | 4 years |
| 6 | eight | sha1 | 41,723 GB | 301 year |
| 7 | ten | sha1 | 238,418 579 GB | 1.91805e + 006 years |
| eight | 12 | sha1 | - | - |
| 9 | 7 | sha512 | 596 GB | 9 years |
| ten | eight | sha512 | 41,723 GB | 654 years |
| eleven | ten | sha512 | 238,418 579 GB | 3,95008e + 006 years |
| 12 | 12 | sha512 | - | - |
For alphabet A4
| No | Number of characters | Hash algorithm | Disk space | Counting time |
| one | 12 | md5 | 59.6 GB | 133 days |
| 2 | 15 | md5 | 59 604.64 GB | 426 years |
| 3 | 17 | md5 | 5,960,464.47 GB | 47,574 years |
| four | 20 | md5 | 1 665 497 181 GB | 4,94612e + 007 years |
| five | 12 | sha1 | 59.6 GB | 175 days |
| 6 | 15 | sha1 | 59 604.64 GB | 563 years |
| 7 | 17 | sha1 | 5,960,464.47 GB | 60 505 years |
| eight | 20 | sha1 | 1 665 497 181 GB | 6.2405e + 007 years |
| 9 | 12 | sha512 | 59.6 GB | 359 days |
| ten | 15 | sha512 | 59 604.64 GB | 1040 years |
| eleven | 17 | sha512 | 5,960,464.47 GB | 110 162 years |
| 12 | 20 | sha512 | 1 665 497 181 GB | 1.12256e + 008 years |
Dash where the program has decided that it will be enough to count.
Findings.
Everyone should choose the length and composition of passwords for himself, from myself I can only say, it is better to choose a password up to 12 characters and periodically change it, rather than take a password of 20 characters and feel completely safe.
PS This is my first post on Habré, do not kick much, please.
UPD Added A4 alphabet and statistics to it.
Source: https://habr.com/ru/post/80036/
All Articles