Page History

There are two types attacks to break into a password protected system by attempting to guess the password, brute-force and dictionary; these attacks are effectively useless against online systems, even if not secured properly, the latency alone makes them impractical. However, these attacks are very effective against local encrypted files (like your password database, or any other file you encrypt for privacy).

Let's compare the two attacks against our two passwords. Let's assume the attacker is using an array of modern processors that is capable of going through

Brute Force

This technique relies on trying every possible combination of characters until the correct one is guessed, hence the name brute force. If we consider a typical brute force algorithm that attempts to guess the password with the 26 characters of the English alphabet in both upper and lower case, 10 numerical digits, and 33 special characters easily found on a qwerty keyboard, we find:

• For the password "yM&Lqg4?S": The program must guess every possible permutation starting with 1 characters and increasing until a match is found. That means it'll take a between between (6.3695419 x 10^17) + 1 and 6.0510648 x 10^19 guesses.
  
  Total search space: 95 + 95^2 + 95^3 + 95^4 + 95^5 + 95^6 + 95^7 + 95^8 + 95^9 = 636,954,190,679,126,495
  Assuming the attacker is using a large botnet capable of making one hundred trillion guesses per second, it would take less than 2 hours to guess this password.
  An attacker with relatively inexpensive off-the-shelf hardware could break it in approximately two and a half months.

• For the password "atone long pod wordy calve", despite the fact that it contains no numbers, upper case letters, or special characters:
  
  Total search space: 95 + 95^2 + ... + 95^26 = 2,663,234,997,260,162,196,476,097,223,547,872,948,519,727,017,017,120 
  Assuming the same large botnet, it would take the attacker approximately 8.47 thousand trillion trillion centuries to guess this password.
  An attacker with relatively inexpensive off-the-shelf hardware would need 8.47 million trillion trillion centuries to guess it.

Dictionary Attack:

A dictionary attack aims to address the slowness of a brute force attack by taking advantage of people's tendency to use simple words as their passwords, this relies on the password consisting of a word or two, or it becomes a brute force attack. WeThe English language is rather rich, we'll consider a typical diceware dictionary medium sized "dictionary" of 450,000 words for this attack , which consists of 6^5 (7,776) unique words (note that the bigger the dictionary, the more likely it is to produce a successful guess, and the slower it is, the most popular password cracking dictionary contains 1,493,677,782 words).

• The password "yM&Lqg4?S" is not susceptible to a dictionary attack, a dictionary attack will never be able to break it.
• For the password "atone long pod wordy calve":
  Think of this password as a password 5 characters long, but being composed with an alphabet consisting of 7,777 characters (dicware dictionary + a space)
  Total search space = 745,777 000 + 745,777^2 000^2 + ... +745,777^5 000^5 = 2.8452232 x 10^19 1.8453223e+23
  A large botnet attack that is lucky enough to be using the same dictionary set would be able to guess this password in just under 2 daysapproximately 35 years, but it would take an attacker with off-the-shelf hardware just over 3.5 years4 hundred centuries.
  
  Now consider doing a miner change to our password: "at0ne l0ng p0d w0rdy calve!"
  Our password is still easy to remember, but it is now no longer susceptible to this dictionary attack (remember the larger the dictionary, the slower the attack is). Furthermore, by adding an additional character ('!'), we've increased the possible number of permutations by 2.5034409 x 10^53, bringing our estimated brute force crack time to 8.04 hundred million trillion trillion centuries.