How Secure is your Password?

Most people realize that some passwords are harder to guess than others. But a new online tool allows you to see just how much variation there is.

The appropriately named www.howsecureismypassword.net has a single, simple purpose: you type in your password and the site tells you how long it would take a desktop PC to crack it, presumably by a brute force attack (that is, literally trying out every possible combination of characters.)

It should be noted the site promises that “no data is stored or transferred anywhere.” If you are still a little paranoid, it might be worth typing in a dummy password of the same construction. So, for example, if your password was smith1952, try something like jones1948 instead.

The mathematics of the calculation seems simple enough: as best I can tell it works on the basis that longer passwords take longer to crack, adding numbers as well as letters increases the difficulty, and adding other characters such as punctuation marks adds even more.

The tool does note when you type in one of 500 most popular passwords, but otherwise doesn’t seem to distinguish between dictionary words and random strings of characters. In reality, actual words are usually considered less secure as they can be cracked using the much quicker technique of running through all the words in the dictionary.

Even with these limitations, and bearing in mind that the results should only be taken as comparatives rather than absolutes, the results are staggering. To give one example, a password I use for discussion forums would apparently take 13 minutes to crack, while a longer one I use for my webmail access would take 138 million years!

To give some illustration of the way the security rises in a disproportionate way, here’s the times for some password combinations:

Letters only:

6 letters (the least secure password allowable on Hotmail): 30 seconds
7 letters: 13 minutes
8 letters: 5 hours
9 letters: 6 days
10 letters: 163 days
11 letters: 11 years
12 letters: 302 years

Letters and numbers:

6 characters: 3 minutes
7 characters: 2 hours
8 characters: 3 days
9 characters: 117 days
10 characters: 11 years
11 characters: 417 years
12 characters: 15 thousand years

Letters, numbers and other characters:

6 characters: 23 minutes
7 characters: 18 hours
8 characters: 38 days
9 characters: 5 years
10 characters: 252 years
11 characters: 12 thousand years
12 characters: 607 thousand years

One thing to note is that while the numbers leap up the most when extending longer passwords, the practical effects are arguably much more significant for shorter passwords. For example, somebody who did the bare minimum with a Hotmail account (6 letters) could simply add a number and a punctuation mark to the end of their password and extend the cracking time from 30 seconds to 38 days, which would certainly put off many would-be attackers.

It also makes for a good argument that web companies which ask users to choose passwords could make their systems substantially more secure simply by asking for a couple of extra characters or for a combination of letters and numbers.