How long does it take to hack a 16-character password?

You gotta start scratching your head a bit when the Dept. of Defense gets its Twitter account hacked and issues an internal directive to change social networking passwords.

Not obvious to me why the DOD even has a Twitter account, and laughably frightening that they didn’t already have a policy for frequent password changes.

The fiasco reminded me of a competition to see how long it would take uber-hackers to crack 15,000 15-character passwords




Let’s pretend that that your passwords are 16-characters long – a mix of capital and lower case letters, numbers and special characters.

Here’s how long it takes to crack them …


According to the Daily Mail, given a 1 –hour time limit, a team of hackers cracked  more than 14,800 cryptographically hashed passwords – from a list of 16,449 – as part of a hacking experiment for tech website Ars Technica.

That’s a 90% success rate … almost 250 passwords per minute …  about 1/4th of a second per password.

How did they do it?

A mixture of brute-force attempts, wordlists, statistically generated guesses using Markov chains, and other rules to turn a list of hashed passwords into plain text.

The brute force part was accomplished  using  a 25-computer cluster that can cracks passwords by making 350 billion guesses per second.

For tech details, see the the Daily Mail article.

The process and capabilities are fascinating … and mucho scary.

How many of us have a 16-character passwords?

If the over-under is 1, I’m betting the under.

* * * * *
Follow on Twitter @KenHoma                  >> Latest Posts

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: