NIST’s new password security rules beg a question …..

How long does it take to hack a 16-character password?


Last week, NIST ((the National Institute of Standards and Technology) issued new guidelines for password security.

After a review, NIST concluded that its former rules — passwords to include upper and lower case letters, numbers, special characters — made logins more complicated but didn’t materially improve online security.

Now, NIST is recommending using long, easy-to-remember phrases instead of relatively short strings of mixed letters, numbers and characters.

The rationale: the longer the string, the harder it is to crack.

For example some researchers concluded that it would only take 3 days to crack a password like “Tr0ub4dor&3” —  but over  550 years to crack the password “CorrectHorseBatteryStaple”

computer hacker

Oh really?

The story reminded me of a prior HomaFiles post that reported on a hacking test.

Hackers were given 1 hour to crack more than 16,000 cryptographically hashed passwords.

Her are the (frightening) results …


According to the Daily Mail, given a 1-hour time limit, a team of hackers cracked  more than 14,800 cryptographically hashed passwords – from a list of 16,449 – as part of a hacking experiment for tech website Ars Technica.

That’s a 90% success rate … almost 250 passwords per minute …  about 1/4th of a second per password.

How did they do it?

A mixture of brute-force attempts, wordlists, statistically generated guesses using Markov chains, and other rules to turn a list of hashed passwords into plain text.

The brute force part was accomplished  using  a 25-computer cluster that can cracks passwords by making 350 billion guesses per second.

For tech details, see the the Daily Mail article.

The process and capabilities are fascinating … and mucho scary.


P.S.  My guess: a 25 letter nonsense phrase — like the one above — wouldn’t take much longer than a funky 16-character password.

So, if you really want to protect yourself, use 2-step verification — or at least ask for challenge questions.

* * * * *
Follow on Twitter @KenHoma                  >> Latest Posts

One Response to “NIST’s new password security rules beg a question …..”

  1. Paul Curtin Says:

    I get that given massive computing power and nearly unlimited tries would get through most passwords. But wouldn’t the lock-out-after-3-attempts security feature largely thwart that method in the real world?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s