A report from the cybersecurity company Hive Systems unveiled the range of time it can take a cybercriminal to learn a user’s password using the brute force method, which consists of doing a process of trial and error until guessing.
Ten years ago, the estimated time for a 10-character password was over 106 years, but now for a password of the same length, the duration can be as little as three weeks.
Much of the progress in this activity is due to technical sections, such as improvements in the graphics cards for computers that allow speeding up the process, combining them with platforms of cloud service if the times are very long.
It may interest you: Passwords, a necessary evil that we could do without in the future
How long does it take a criminal to know a password?
There are two factors to consider in this process and that are the weapons of the users to defend themselves against attacks: the amount and type of characters.
The researchers tested passwords from 4 to 18 characters, with variants of numbers, lowercase and uppercase letters, and symbols. Taking this, they generated a table with the range of time it could take a cybercriminal to obtain a user’s password.
For example, using between 4 to 6 characters does not represent no barrier because it can be guessed immediately using the brute force method. Not far behind are passwords that have between 7 and 9 characters, which have a protection range to be obtained from 2 seconds to 2 days.
On the opposite side are the keys with 16 and 18 characters, especially those that combine lowercase and uppercase letters, numbers and symbols, because criminals can take between 92 billion years and 438 trillion years.
These numbers are getting smaller and smaller, because if in 2012 the time it took to obtain a 10-character password with numbers, lowercase, and uppercase was 106 years, by 2021 it was reduced to seven months and last year it was three. weeks.
It may interest you: How to find a forgotten password in Google Chrome
The minimum conditions to have a secure key
Taking the picture into account, there are several features that are becoming mandatory to have passwords amid the growth of attacks and technical improvements to exploit platforms.
The first thing is that every password must have a combination of lowercase and uppercase letters, numbers and symbols. It is non-negotiable.
Regarding the extension, you can be more flexible, although the minimum is that they are 11 characters, so that criminals take at least 3 years to guess the password using brute force as attack method.
Being such a long password, it may be difficult for some users to remember it, taking into account that most will have more than one for each of the platforms in which they have an open account, such as social networks, digital stores and emails. In this case it is best to use a password manager.
In addition, it is important to complement this with two-factor authentication, because it will be an additional barrier for criminals, who are mostly temporary codes and arrive on a different platform such as email or via text message on the cell phone.