Brute-force attacks are carried out by hackers which intend to crack your passwords with the help of software which simply tries different character combinations in quick succession. The algorithm is quite easy and limited to the trial and error of as many character combinations as possible. For this reason it is also called “exhaustive search”. The attacker normally uses a high-performance computer, which can perform a large number of calculations per seconds and thus can check a large number of combinations in a short time.
In practice, this method is often used successfully, because many users use short passwords, which in addition only consist of characters of the alphabet, which drastically reduces the number of possible combinations and makes it easier to guess the password.
Encryption of passwords
The RC5-72 project shows how quickly passwords can be identified. The goal of the project is to decrypt a message which has been encrypted with a 72 bit key. Do to so, all possible keys are checked until the correct key is found. As in this project different users contribute their computing capacities, they can currently (as of May 08, 2012) try more than 800 billion keys per second. In older projects of this organization, a 56 bit key had been decrypted within 250 days and a 64 bit key within 1,757 days.
Keyword combination and length
With a few calculation examples we will try to show how the length of a password and the number of characters interact in regard to a password's safety. In the following examples, we calculate with 2 billion keys per second, which a single high-performance computer might approximately manage.
When creating a password you have the following characters which you can use:
numbers (10 different ones: 0-9)
letters (52 different ones: A-Z and a-z)
special characters (32 different ones).
The number of different combinations can be calculated with the following formula:
Different combinations = number of possible characters password length
This results in the following overview - even without considering other factors like dictionary attacks:
You can see very clearly how the length of the keyword und the use of different charcter groups affect the security of a keyword.
Protection against brute-force attacks
The only possibility which you have to protect yourself against brute-force attacks is to use a complex master password, which is quite long and uses a combination of letters, special characters, numbers and lower case and upper case letters. The more complex and long your password is, the smaller the chance that the software used by the hacker is able to "guess" the combination, as we have learned from the above mentioned example.
Whenever you create a new password in Password Depot or generate one automatically with the help of the password generator, you will be shown how long it would approximately take to crack that password. Password Depot not only considers the factors already mentioned, but also other weaknesses like vulnerability to dictionary attacks.
Another possibility to make brute-force attacks more difficult is to extend the period between two possible logins (after a wrong password was entered) accordingly. That way, a high-performance computer can be slowed down in spite of the large number of calculations it could possibly do. For this reason you will have to wait a few seconds if you enter an incorrect password into the master password dialog of Password Depot, until you can try again. The more often you enter a wrong password, the longer the waiting period will get.