AXISHK
asked on
How long to crack a 8 chars alphanumeric password
Any idea how long to crack a 8 Window aplhanumeric password ?
Thx
Thx
Depends.
Assuming 62 possible characters, (upper and lower 26 each, and 10 numerals), there are 9.807971461541689e+55 possible passwords. Using a million machines, each capable of testing a million passwords per second, it would take 3.110087348281864852866565 1953323e+3 6 years to test all possibilities. Our sun will have swallowed the Earth long before that happens.
Of course, humans are not that good at random password selection. If you discover that a person used passwordmarch last month to verify their membership at the local gym, then it is fairly probably that passwordapril will get you into their AD account today.
Password combination calculator below:
http://www.csgnetwork.com/optionspossiblecalc.html
Assuming 62 possible characters, (upper and lower 26 each, and 10 numerals), there are 9.807971461541689e+55 possible passwords. Using a million machines, each capable of testing a million passwords per second, it would take 3.110087348281864852866565
Of course, humans are not that good at random password selection. If you discover that a person used passwordmarch last month to verify their membership at the local gym, then it is fairly probably that passwordapril will get you into their AD account today.
Password combination calculator below:
http://www.csgnetwork.com/optionspossiblecalc.html
Here is an interesting illustration of how some knowledge of how humans create passwords can leave even long ones vulnerable:
https://www.xkcd.com/936/
https://www.xkcd.com/936/
If you know the NTLM hash, it's less than a second to look up the hash in a rainbow table.
http://project-rainbowcrack.com/table.htm
If the hash is unknown - according to the page below, figure a few hours using brute force.
https://www.onthewire.io/l0phtcrack-7-shows-windows-passwords-easier-to-crack-now-than-20-years-ago/
http://project-rainbowcrack.com/table.htm
If the hash is unknown - according to the page below, figure a few hours using brute force.
https://www.onthewire.io/l0phtcrack-7-shows-windows-passwords-easier-to-crack-now-than-20-years-ago/
ASKER
I'm talking about Window 2012 R2 password with alphanumeric chars. If it takes few hours, does it mean Window password is completely not safe ?
Thx
Thx
Depends on what you consider to be "completely not safe." Personally I consider it in the same category as a bike lock. It keeps honest people honest, and that's all. Professionals aren't deterred by it.
I think we tried to give you an example of how this is a bad question - but you don't seem to understand that point.
Let me rephrase - this is a question that cannot be easily or reliably answered. There are too many factors. If you want to test how weak a password is, CRACK IT YOURSELF. John the Ripper is a free password auditing tool that can crack passwords (assuming you have appropriate permissions). Google it. How good or bad a password is depends on what you're trying to secure. If you want tight security, you should look at TWO FACTOR authentication - a password alone should not be enough. Keyloggers can capture passwords that are otherwise VERY good. Mix in a second factor and it becomes MUCH harder for someone. But if you're trying to secure your holiday gift idea you probably don't care too much ... but if you're trying to ensure no one steals your secret plans for a fantastic new energy source, then you should have more security.
Let me rephrase - this is a question that cannot be easily or reliably answered. There are too many factors. If you want to test how weak a password is, CRACK IT YOURSELF. John the Ripper is a free password auditing tool that can crack passwords (assuming you have appropriate permissions). Google it. How good or bad a password is depends on what you're trying to secure. If you want tight security, you should look at TWO FACTOR authentication - a password alone should not be enough. Keyloggers can capture passwords that are otherwise VERY good. Mix in a second factor and it becomes MUCH harder for someone. But if you're trying to secure your holiday gift idea you probably don't care too much ... but if you're trying to ensure no one steals your secret plans for a fantastic new energy source, then you should have more security.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is really bad question i'm agree with Lee....
@AXISHK,
EE is not for not for this. please try another sources...
@AXISHK,
EE is not for not for this. please try another sources...
26 letters lower and plus 26 letters upper and 10 numbers = 62 chars
62^8 = 218,340,105,584,896 possible combinations
62^8 = 218,340,105,584,896 possible combinations
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The question cannot be answered without knowing the attack you plan to defend against. How should the attacker proceed?
You need to clarify that.
if you are looking for a recommendation for password strength or length, then please say so and tell me what attack types you see. In case you never asked yourself "how would an attacker proceed", you need to do that now and learn about attacks.
You need to clarify that.
if you are looking for a recommendation for password strength or length, then please say so and tell me what attack types you see. In case you never asked yourself "how would an attacker proceed", you need to do that now and learn about attacks.
62^8 = 218,340,105,584,896 possible combinations
suppose a PC is capable of testing 1,000,000,000 passwords per second,
= 60.65 Hours
= 2.52 Days
suppose a PC is capable of testing 1,000,000,000 passwords per second,
= 60.65 Hours
= 2.52 Days
Ramin, that is useless unless we know
1 who would want to use alphanumeric but no special characters?
2 how would an attacker even get to the password hash?
1 who would want to use alphanumeric but no special characters?
2 how would an attacker even get to the password hash?
I'm agree, I post that numbers just to give a basic view to the question. it also depends on the platform and hardwares of tester Machine.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thx
Just for your understanding: based on your selected solution, it seems you believe that using lockouts would help against your attack type. Lockouts will only help if the password is actually tried against a domain controller. If you use tools that attack a password hash, lockouts don't help at all - and that is by far the more common attack type.
That is why I asked some questions. So if you want to know more about it, you would need to offer details on your scenario.
That is why I asked some questions. So if you want to know more about it, you would need to offer details on your scenario.
If you want to test, setup a test domain and install John the Ripper and try to crack it.
(It also depends on the hardware used... if you're running it on a Pentium 4 166 MHz system it'll take a LOT longer than a 3.8GHz Core i7