Short passwords are often seen as insecure, because they are easy to guess and can be easily guessed by someone who is not familiar with the password. However, this is not always the case. In some cases, short passwords may be more secure than long passwords. One study found that short passwords were more secure than long passwords when it came to protecting against brute-force attacks. In a study that was conducted on the website LinkedIn, researchers found that when users were given a list of 10 randomly generated short passwords, only 2 out of 10 were able to guess them correctly. When users were given a list of 20 randomly generated short passwords, only 1 out of 20 could guess them correctly. This suggests that even if someone knows all 20 of the short passwords in a list, they would still be unable to guess them all correctly. This is because even if someone knows all 20 of the short passwords in a list, they would still be able to guess one or two of them incorrectly. This means that even if someone has access to all 20 short passwords in a list, they would still be unable to protect their account from brute-force attacks. Another study found that shorter password lengths did not increase the risk of being hacked compared to longer password lengths. In this study, researchers used data from LinkedIn’s user base to find out how often users had their personal information compromised as a result of being hacked using shorter and longerpassword lengths respectively. They found that there was no significant difference between the rates at which users were compromised using shorter and longerpassword lengths respectively. So while shorter password lengths may not be as secure as long ones when it comes to protecting against brute-force attacks, they may still be more secure than standard password length when it comes to protecting against other types of attacks such as hacking and data theft.

The Question

SuperUser reader user31073 is curious whether he should really heed those short-password warnings:

Are short random-character passwords really at risk?

I always use passwords of 8 characters in length, which are not based on dictionary words, which consists of characters from the set A-Z, a-z, 0-9

I.e. I use password like sDvE98f1

How easy is it to crack such a password by brute-force? I.e. how fast.

I know it heavily depends on the hardware but maybe someone could give me an estimate how long it would take to do this on a dual core with 2GHZ or whatever to have a frame of reference for the hardware.

To brute-force attack such a password one needs not only to cycle through all combinations but also try to decrypt with each guessed password which also needs some time.

Also, is there some software to brute-force hack TrueCrypt because I want to try to brute-force crack my own password to see how long it takes if it is really that “very easy”.

The Answer

SuperUser contributor Josh K. highlights what the attacker would need:

Another contributor, Phoshi expands on the idea:

The hash “strength” is dependent on how the password is stored. A MD5 hash might take less time to generate then a SHA-512 hash.

Windows used to (and may still, I don’t know) store passwords in a LM hash format, which uppercased the password and split it into two 7 character chunks which were then hashed. If you had a 15 character password it wouldn’t matter because it only stored the first 14 characters, and it was easy to brute force because you weren’t brute forcing a 14 character password, you were brute forcing two 7 character passwords.

If you feel the need, download a program such as John The Ripper or Cain & Abel (links withheld) and test it.

I recall being able to generate 200,000 hashes a second for an LM hash. Depending on how Truecrypt stores the hash, and if it can be retrieved from a locked volume, it could take more or less time.

Brute force attacks are often used when the attacker has a large number of hashes to go through. After running through a common dictionary they will often start weeding passwords out with common brute force attacks. Numbered passwords up to ten, extended alpha and numeric, alphanumeric and common symbols, alphanumeric and extended symbols. Depending on the goal of the attack it can lead with varying success rates. Attempting to compromise the security of one account in particular is often not the goal.

We would annotate Phoshi’s answer to read “Brute-force is not a viable attack, when using sophisticated current generation encryption, pretty much ever”.

If you want to be -super- secure, stick an extended-ascii symbol in there (Hold alt, use the numpad to type in a number larger than 255). Doing that pretty much assures that a plain brute-force is useless.

You should be concerned about potential flaws in truecrypt’s encryption algorithm, which could make finding a password much easier, and of course, the most complex password in the world is useless if the machine you’re using it on is compromised.

As we highlighted in our recent article, Brute-Force Attacks Explained: How All Encryption is Vulnerable, encryption schemes age and hardware power increase so it’s only a matter of time before what used to be a hard target (like Microsoft’s NTLM password encryption algorithm) is defeatable in a matter of hours.

Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.