Ecclesiastes 1:9 ends

there is nothing new under the sun

But we’re all sophisticated, and besides, this is the computer age – there is something new every day!  Like cloud computing.  Sure, it looks a lot like the old client-server computing, where the processing took place out there somewhere, and it looks like the web (where does Google keep its data, anyway?), and it looks like old time-sharing computers.

But we are facing some old challenges with this “new” technology – bad guys.

Dave Farquhar commented on how easy it is to break passwords using Amazon’s cloud computing system.  It’s cheap, too, testing 24 million passwords in a minute for a cost of 28 cents.  That’s getting into some scary access!

Let’s put some numbers on this and see what we could do to improve password security.

Dave puts out the theoretical password popcorn, and estimates that a dictionary attack could break it in two and a half seconds (there are only a million words in the English language).  Yikes!

I’m willing to give you the benefit of the doubt, and take for granted that you’re using something besides a word from the dictionary.  You’re going to force the bad guys to search through every possible word that can be made.  For a 7-character password, that’s 26 to the 7th power, since each position in the password could be any of the letters.  That’s gonna cost the bad guys 93 bucks to discover (26^7 possible words, divided by 400,000 attempts per second, divided by 60 seconds in a minute, times 0.28 dollars per minute, laid out here or here).  Not bad – changing the last letter of the password from an N to an M pulls you out of the dictionary and moves your enemy from little Billy to the wacky neighbor with a grudge.

Let’s crank it up a notch.  Add capital letters.  Should double it from 93 bucks to, umm, close to two hundred, right?  Wrongo!  On that second search, the one from Wolfram Alpha, change the numbers yourself and see what happens.  The number line at the bottom gives you a good visual sense of what’s going on as you change the 26 to 52.  Twelve thousand bucks?  Now you’re talking some serious dollars – maybe what a prosecuting attorney would spend to break a password.

And that’s just the letters – what about if we add in numbers (and not just the “zero for oh, one for i” substitutions, although it could be as simple as adding a year or a sequential counter).  That puts our base at 62 instead of 52.  Comes out to forty-one thou.  That’s the sort of bucks a state might drop on breaking a password.  Little Billy, who’s bothered at you for not letting him ride his 4-wheeler through your lawn, can’t break into your wireless unless he’s willing to give up a couple cheap cars to do it.

Next upgrade to our password protection?  Let’s go up to an 8-character password, keeping everything else the same.  So we have upper and lower case, plus all ten digits, eight of them in a row.  Here’s where Google comes back into play, where they use spaces instead of commas to separate the number groups.  And although Wolfram Alpha shows the number in scientific notation (making it hard to count piles of dollars), sticking a dollar sign on the front of the equation transforms the calculation into a very readable two and a half million dollars (or, if you wish, 211 million yen).  That’s FBI-level password breaking (if they use Amazon’s cloud services).

Pulling out all the stops, let’s add in punctuation marks.  All 32 of them that are on the keyboard.  You don’t have to use all of them, but do something more than swapping in a dollar sign for an S.  Now I’m talking in theory here, because some security systems won’t accept certain punctuation marks.  But our theoretical system will, because it’s perfect (theoretically).  So our base bumps up from 62 possible characters to 94 choices for each “letter” of your 8-character password.  71 million dollars to break that password, if you have the last one they look for.  On average, about half that.  You’re getting into the kind of money that countries spend if they’re really bothered at you.

So let’s add the final twist: a ten-character password.  Wolfram Alpha reports that as costing some $628 billion-with-a-B to break.  Of course, for this sort of money, you could buy Microsoft and Google and IBM, rounded to the nearest billion.

So there are cheaper ways to break somebody’s password, but this should give you some ideas on what you can (and should) do to increase your password security.

Oh, and don’t irritate the National Security Agency.  They probably have a computer that can break a 10-character password for twenty-eight cents.  Cost them billions of our taxpayer money to build, but it’s cheap to run.