Subscribe to the InfoTech eNewsletter

TMCnews Featured Article

June 30, 2011

Password Reset Software: "I Can Hack Your Password In... 3.03 Millennia!"

By David Sims, TMCnet Contributing Editor

Is password reset software necessary?

Today’s Cool Factoid: If you have an eight-character password, adding one capital letter and one asterisk would change the processing time for a hacker to crack it using a brute force attack, from 2.4 days to 2.1 centuries.

It might pay to try to memorize that extra character or capital letter in your password or to use password reset software to beef it up.

Blogger John P., who writes for, says hackers “have developed a whole range of tools to get at your personal data.” Despite what you hear about thousands and millions of passwords being stolen in the blink of an eye, a strong, unguessable, unique password is still the best defense you have against personal data loss. Password reset software can help greatly with that.

Quick: Is your password – yes, we know you use the same one everywhere – at least eight characters and a combination of lowercase and uppercase letters, with at least one symbol or number tossed in somewhere? If it is, pat yourself on the back.

John describes a Brute Force Attack in the blog post stating it assumes you probably use the same password for lots of stuff and it doesn’t try to get it from your bank since their security’s up to snuff. But other sites you use – “the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at” – probably aren’t, and are much more hackable.

Then the hacker runs Brutus, wwwhack, or THC Hydra, or some such program, to run through thousands of possible combinations at warp speed.

Now here’s where the strength of your password comes into play. As John says, with a reasonably fast connection and PC, it would take a hacker 0.02 seconds to hack a three-character password if it’s all lowercase letters. Six characters, about five minutes. Eleven characters? It’d take 1.16 centuries, and if your password’s 14 lowercase letters, it would take a hacker 2,000 millennia to hack it. So you’re probably safe with that one.

Now let’s see how much stronger a password is that uses all characters. It would take a hacker 0.86 seconds to hack a three-character password using uppercase letters, numbers and symbols, 8.5 days for a six-character one, 180,365 millennia for an eleven-character one, and if you have a 14-character password using uppercase letters, numbers and symbols, it would take a brute force hacker using an average computer with a good connection about 154,640,721,434 millennia to crack it. So you’re probably safe with that one.

And as John says, 95 percent of the other ways hackers compromise your security begin with compromising your weak password. So since you can completely control that, start there.

David Sims is a contributing editor for TMCnet. To read more of David’s articles, please visit his columnist page. He also blogs for TMCnet here.

Edited by Jamie Epstein