Link to home
Start Free TrialLog in
Avatar of AXISHK
AXISHK

asked on

How long to crack a 8 chars alphanumeric password

Any idea how long to crack a 8 Window aplhanumeric password ?

Thx
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Depends on the dictionary used and password requirements.  1234abcd is an 8 character password and a lot easier to crack than h5l47opk

If you want to test, setup a test domain and install John the Ripper and try to crack it.

(It also depends on the hardware used... if you're running it on a Pentium 4 166 MHz system it'll take a LOT longer than a 3.8GHz Core i7
Depends.

Assuming 62 possible characters, (upper and lower 26 each, and 10 numerals), there are 9.807971461541689e+55 possible passwords. Using a million machines, each capable of testing a million passwords per second, it would take 3.1100873482818648528665651953323e+36 years to test all possibilities. Our sun will have swallowed the Earth long before that happens.

Of course, humans are not that good at random password selection. If you discover that a person used passwordmarch last month to verify their membership at the local gym, then it is fairly probably that passwordapril will get you into their AD account today.

Password combination calculator below:

http://www.csgnetwork.com/optionspossiblecalc.html
Here is an interesting illustration of how some knowledge of how humans create passwords can leave even long ones vulnerable:

https://www.xkcd.com/936/
Avatar of Dr. Klahn
Dr. Klahn

If you know the NTLM hash, it's less than a second to look up the hash in a rainbow table.

http://project-rainbowcrack.com/table.htm

If the hash is unknown - according to the page below, figure a few hours using brute force.

https://www.onthewire.io/l0phtcrack-7-shows-windows-passwords-easier-to-crack-now-than-20-years-ago/
Avatar of AXISHK

ASKER

I'm talking about Window 2012 R2 password with alphanumeric chars. If it takes few hours, does it mean Window password is completely not safe ?


Thx
Depends on what you consider to be "completely not safe."  Personally I consider it in the same category as a bike lock.  It keeps honest people honest, and that's all.  Professionals aren't deterred by it.
I think we tried to give you an example of how this is a bad question - but you don't seem to understand that point.

Let me rephrase - this is a question that cannot be easily or reliably answered.  There are too many factors.  If you want to test how weak a password is, CRACK IT YOURSELF.  John the Ripper is a free password auditing tool that can crack passwords (assuming you have appropriate permissions). Google it.  How good or bad a password is depends on what you're trying to secure.  If you want tight security, you should look at TWO FACTOR authentication - a password alone should not be enough.  Keyloggers can capture passwords that are otherwise VERY good.  Mix in a second factor and it becomes MUCH harder for someone.  But if you're trying to secure your holiday gift idea you probably don't care too much ... but if you're trying to ensure no one steals your secret plans for a fantastic new energy source, then you should have more security.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is really bad question i'm agree with Lee....

@AXISHK,
EE is not for not for this. please try another sources...
26 letters lower and plus 26 letters upper and 10 numbers = 62 chars

 62^8 = 218,340,105,584,896 possible combinations
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The question cannot be answered without knowing the attack you plan to defend against. How should the attacker proceed?
You need to clarify that.

if you are looking for a recommendation for password strength or length, then please say so and tell me what attack types you see. In case you never asked yourself "how would an attacker proceed", you need to do that now and learn about attacks.
62^8 = 218,340,105,584,896 possible combinations
suppose a PC is capable of testing 1,000,000,000 passwords per second,
= 60.65 Hours
= 2.52 Days
Ramin, that is useless unless we know
1 who would want to use alphanumeric but no special characters?
2 how would an attacker even get to the password hash?
I'm agree, I post that numbers just to give a  basic view to the question. it also depends on the platform and hardwares of tester Machine.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of AXISHK

ASKER

Thx
Just for your understanding: based on your selected solution, it seems you believe that using lockouts would help against your attack type. Lockouts will only help if the password is actually tried against a domain controller. If you use tools that attack a password hash, lockouts don't help at all - and that is by far the more common attack type.

That is why I asked some questions. So if you want to know more about it, you would need to offer details on your scenario.