Ivan Lucas "Password Recovery Speeds: How long will your password stand up" (Friday 10th July 2009 04:01),
Copyright © 1996-2009 Ivan Lucas. Creative Commons License Licensed under a Creative Commons Attribution-ShareAlike 2.0 License. All trademarks are hereby acknowledged.

COPYRIGHT NOTICE
Original Concept & Design: Ivan Lucas
Additional Coding: Rob Beckett

Organisation: The Home Computer Security Centre - LockDown.co.uk
Web Site: http://www.lockdown.co.uk/
Email: ivan.lucas@lockdown.co.uk or rob@subwolf.org

All code, script, text, images and designs on this site are copyright I N Lucas 2000-2007 - All Rights Reserved.

Password Recovery Speeds

This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force "key-search" attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a "lucky guess".
See the <a href="#Classes">bottom of the page</a> for details about the classes of attack.

10 Characters

Just numbers. As you can see choosing a password from such a small range of characters is a bad idea.

26 Characters

The full alphabet, either upper or lower case (not both in this case).

36 Characters

The full alphabet, either upper or lower case (not both in this case) plus numbers.

52 Characters

This time we're trying the full alphabet but using a mixture of upper and lower case letters, that effectively doubles the number of combinations when compared with just using a single case.

62 Characters

Mixed upper and lower case alphabetic characters plus numbers.

86 Characters

Mixed upper and lower case alphabet and common symbols.

96 Characters

Mixed upper and lower case alphabet plus numbers and common symbols.

Examples

These are just a couple of examples to show the resilience of certain types of password, using the information in the tables above you will be able to make your own examples.

<a name="Classes">Classes</a> of Attack

These are just some example speeds, I'd be interested to hear from people with more information about the speed taken to crack various types of passwords with various hardware.

<a name="classA">A.</a> 10,000 Passwords/sec
Typical for recovery of Microsoft Office passwords on a Pentium 100

<a name="classB">B.</a> 100,000 Passwords/sec
Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 100

<a name="classC">C.</a> 1,000,000 Passwords/sec
Typical for recovery of ZIP or ARJ passwords on a Pentium 100

<a name="classD">D.</a> 10,000,000 Passwords/sec

Fast PC, Dual Processor PC.

<a name="classE">E.</a> 100,000,000 Passwords/sec

Workstation, or multiple PC's working together.

<a name="classF">F.</a> 1,000,000,000 Passwords/sec
Typical for medium to large scale distributed computing, Supercomputers.

<a href="http://www.distributed.net/">Distributed.net</a>'s Project Bovine RC5-64 possibly the fastest computer on earth has recently reached a speed of 76.1 Billion passwords per second!

リンク

• セキュリティ関連メモ のトップページへ
• security sub Wiki のトップページへ