Dec 02 2010
We love movies, but it’s probably because of Hollywood that we get at least a few calls each month asking us to brute force someone’s password. Folks want to know how much we charge, and can we finish by Thursday?
Sadly, brute forcing passwords is not like the movies. In WarGames, the WOPR brute forced the “CPE1704TKS” launch code in a few hours. Makes for high drama, but the reality is a 10-character password using only uppercase letters and numbers has 3.7 quadrillion possible combinations. Even being kind and allowing that a 1983 supercomputer could test ~48,000 unique password combinations per second (approximately same as today’s technology), it would have taken WOPR about 2,415 years to get it.
But we know what you’re thinking. That’s nuclear launch codes. What about my Facebook password? How computationally secure is my Facebook page against an all-out brute force “racc-a-tacc” by a supercomputer? What about a dedicated rack of 1,000,000 secret government supercomputers??? I’ve seen Enemy of the State!
Well, putting aside for a moment things like entropy, rainbow tables, and those unethical Facebook employees who admit to stealing your account login from time-to-time to snoop photos, the answer is – it depends on your password. For example, the “bigboy1” you use for your fantasy football page isn’t nearly as strong as what your IT manager gave you to access the company’s network. Something like “A$r1;05q6,” right?
By definition, a brute force attack eventually gets it right. But believe it or not, how long that takes everywhere on Earth except Hollywood gets real big real fast. Into the billions, trillions –even MILLIONS—of years!
To give a little perspective:
Longer, more complex passwords get even more ridiculous. So it’s easy to see why your gym membership requires a 4-digit pin and your online bank requires 12-characters using at least 1 upper case letter, 1 number, and 1 symbol.
Of course, if you’re like most folks, this is all academic because your arsenal of complex, super-strong passwords are all saved in one unprotected document called “Passwords” someplace on your C: drive (so you don’t forget them).
If NORAD’s IT guy was like most folks, WarGames would have been a lot shorter.