A very interesting Article (http://www.lockdown.co.uk/?pg=combi&s=articles) shows the relationship between the length and complexity of a password verses how long it would take for it to be cracked. They break it down between multiple styles of passwords, i.e. just letters, letters with numbers, multiple case letters and numbers, and multiple case letters, numbers and with symbols.
For example: the word “Darren” used as a password as a Microsoft Word document would take a Pentium 100 computer just over 8 hours to crack. (Remember, newer computers are 10-25x that speed). Using the same setup “Bm0!4C4n” would take 22,875 years. “Bm0!4C4n” by today’s computers cracking at 1,000,000,000 Passwords/sec could last just over 83 days. Note, these estimates would be on the high side since most brute force work starts at one point and works it’s way though. For example if it starts at a-z, then A-Z, and then 0-9, our test password “Bm0!4C4n” would be cracked before something that starts with a Z.
To demonstrate the effectiveness of their encryption scheme, RSA Labs has a challenge to break their RC5 algorithm. Currently Distributed.net (A collection of people donating their spare CPU cycles via an internet based computer network) broke the RC5-64 Bit scheme in 1757 days and is currently working on the RC5-72 Bit scheme. They are cracking at over 147.97 gigakeys a second. That’s just fewer than 148 Billion Passwords a second. If Distributed.net were to be a bad guy, “Bm0!4C4n” could take just over 13 hours.
Fortunately, at this time there is no large “bad guy” distributed networks setup. However, well known to the Information Security world are something called ‘bot-nets’. These ‘bot-nets’ are computers that are taken over by crackers or other people by use of Virus’s or spy-where. Usually sitting dormant until a command is issued by the controller. We have seen the effects of these ‘bot-nets’ a few years ago when a Canadian cracker (Mafiaboy) launched a major DDOS attack on websites such as yahoo.com causing them to go offline for more then 3 hours.
Currently, international IS and law enforcement agents work to dismantle ‘bot-nets’, however as the speed of computers increase, and the price drop, it will become easier and cheaper to create a distributed network of computers in your own home capable of cracking passwords lightning fast. All it will take is someone to get a hold of an encrypted database containing a password for them to crack and be able to test the password at multiple sites.
Now, with new technologies we are able to create single use/bi-factor passwords such as RSA’s SecurID token system. This uses the something you know, and the something you have principle. Since you passwords logically changes every 60 seconds (Depending on the token setup), and the concept that the token is disabled after X number of tries, makes it almost impossible to brute-force the password from remote. However, the technology does have a downside. In order to keep the number of available keys dynamic to a company, seed files are provided to add to the server. If these seed files were to be compromised it would render all keys associated with the files useless. There is already (since 2000) systems able to reproduce the digits on a token by importing the seed file and running it against the RSA Algorithm, reducing the password’s usability to just the something you know. Using social engineering, or brute force attacks over a few weeks (Remember, the RSA server will block a token after X tries) would cause the SecurID token password to be broken.
In closing, remember to change your password often, don’t use simple words or numbers, but include a mixture of case, numbers and symbols. And if you ever get blocked, ensure you change your password to something different.
References include, RSA Website, Distributed.net Website and the listed article.