33.1 Billion Passwords Per Second Sure Seems Like A Lot

A post a while back showed that a series of 8 5970 GPUs could test 33.1 billion MD5 passwords per second. A pretty impressive number.

But let’s put that into perspective using this calculator that looks only at combinations, none of that entropy BS that clouds things up.

At 100 billion checks per second, essentially 3x as fast as 8 5970 GPUs, it would take about 19 hours to crack a simple 8 character password with a full character set of 95. Adding just one single character to that turns 19 hours into 2.5 months. One more character and we’re nearing 20 years. Another and we’re nearing 20 centuries.

That’s only 11 characters. That’s nothing, really.

But even if you could check 100 trillion passwords per second it would take an entire 1.83 years to crack the password. And with just one character even that becomes infeasible, pushing the time for a 12 character password at 100 trillion guesses to 1.74 centuries.

And, let’s face it, 100 trillion is going to take massive amounts of energy and funding.

The fact that MD5 is multiple orders faster than other methods also puts things into perspective. SHA 256 is meant to be fast and even it’s going to be 10x as slow. If you use PBDKF2 I’d assume it’s a matter of multiply rounds ie: if one round takes 10x as long 10 rounds will take 100x as long. LastPass defaults to 500 rounds so that’s 5000x as slow and I personally use 30,000 rounds so that’s… 300,000x as slow.

Basically, if you use a full character set and 12 character passwords there’s simply no way anyone’s getting into your system. It’s so damn easy to remember a password that’s 12 characters too.

Just a few other tidbits for the 100 trillion checks per second:

16 characters = 1.41 hundred million centures

20 characters = 11.52 thousand trillion centuries

I mean, really, no one is going to even try. It would be cheaper to try to break the encryption but only because it’s like comparing spending every bit of energy the earth has to offer or just spending millions of dollars.

The point of this post is to demonstrate that if you use even a slightly secure password you make it impossible to bruteforce and if you exert virtually any small amount of effort into creating a strong password the solar system would collapse long before anyone ever broke into it.

LastPass Security Challenge

So I was checking out the LastPass website to see what I can learn. I stumbled across the “Security Challenge” – a series of tests run on your passwords to test their ‘strength’, if you have duplicates, and a few other things.

I’d actually forgotten how many websites I used the same password for (old old accounts from pre-security conscious days) and often a really short one.

I went through and after about 20 minutes I removed all duplicates and significantly upped the average character count for breaking into any single account.

I suggest anyone using LastPass runs the benchmark and sees how good they’ve been.


Here’s what I’m up to. I wouldn’t take the score too seriously, it seems like the more passwords you have the more secure you are, which is silly. Just go through and make sure you’ve got no duplicates and a decent average length.

Get Free LastPass Premium (for both of us!) for one moth with this link: https://lastpass.com/f?420446 

How To Create A Strong And Memorable Password

Tips For Creating A Secure Password:

A secure password has a few features: it’s easy for you to remember, hard for a hacker to guess, and too complicated/ long to bruteforce.

A good password will have at least one of each of these: lower case letter, upper case letter, number, symbol. This guide will explain how to create a strong password that’s easy to remember and duplicate for various services.

Your password should be at least 12 characters long. Anything “mission critical” (as in the government is after the nuclear codes that you stole) should be at least 14 characters. Some people recommend 20 characters, this isn’t really necessary unless you can’t verify the crypto behind the password security.

A horrible password for anyone would be “password123” as it’s the first thing any attacker will try. It’s got a single word, which means it’s highly susceptible to a dictionary attack, and merely 3 numbers. It’s also only 11 characters, which isn’t awful but for protecting critical data it should be key.

A bad password for me would be “insanitybit12345!?” as an attacker might guess that I’d use my username as a password. At that point they only need to bruteforce 12345!? and they’ll likely do the ‘12345’ anyways.

A good password for me would be “CatBike92391(!” as it has 14 characters, two words, a friends birthday (not my own, just some random friend from years ago) and two random symbols.

A great password for me would be “AwfulCatBike92391(@#(!(!” as it has 24 characters, three unrelated words, an old friends birthday, their birthday typed while holding shift, and two random symbols. This password is beyond overkill, I suggest you stick to a password closer to 12-14 characters unless you can’t confirm that the crypto behind what your entering the password into is secure (like an online service.)

A bad, but ‘strong’ password would be “a%f!1234BZV245NDF!#$?;;z<qortQERG” as it has over 30 characters, all ‘random’, but there’s no way in hell I’ll remember it and I’ll be pissed off every time I spend the time typing it out just to retype it because I forgot a letter. If I were an inexperienced user I’d end up writing it on paper, which is horrible.

Remembering even my incredibly long AwfulCatBike92391(@#(!(! is simple. You just need to remember 3 words, 1 birthday, and two random symbols. That’s 5 things to remember, it’s nothing. It’s like remembering “party” is your password or any other 5 letter word.

Keep in mind that the equation for password combinations is (character set! ^ length!) so simply by adding one of each character set (a, B, 3, $) you improve the security of your password by a massive amount.

I’m also using “AwfulCat” and not “Gorillas” – even though they are both the same length “Gorillas”  is actually much less secure because it is one word. The difference is very large when you consider dictionary attacks and how they work. Stringing two unrelated words will be much more secure than one long word.

TIP: You can create multiple strong passwords very easily.

Let’s take our AwfulCatBike92391(@#(!(! example.

Maybe that’s my email password for GMail and now I want a strong Hotmail password. I’ll simply change AwfulCatBike92391(@#(!(! to:

SuperDogCar71488&!$**%$. I’ve changed “Awful” to “Super”, “Cat” to “Dog”, and “Bike” to “Car.” Anyone who got a 200 or above on their SATs should be able to understand the relations here. I also picked another friends birthday and another two random symbols. So now we have a very different password that’s just as secure as the last and it won’t be difficult to remember both because they’re similar in terms of semantics..

Other examples might be:

GreatEmuTruck52090%&()$# or EvilRabbitJeep41794$!&(%*%

Its simple. Though, again, I think that these passwords are overkill and something more like the 14 character example is ample.