How Long It Takes To Hack Your Password

by Matthew Jones

One of the most common ways that accounts are compromised (aside from the obvious – leaving your password written down on a piece of paper, making it your birthday, “phishing” emails/websites that masquerade as an authentic communication, or a “low effort” password like the ones outlined in Sandra Lim’s blog entry on “Picking The Right Password”) is via what is known as a “brute force” attack.

Essentially this involves a hacker’s machine going through random passwords with constant login attempts until it hits proverbial paydirt. It’s not terribly elegant (it’s literally pounding away at the login server with password attempts, thus the ‘brute force’ terminology) and you might have noticed that a lot of sites try to combat this by limiting the amount of login attempts you can make before your account is locked out for a period of time – anywhere from an hour to 24 hours.

However, this is still far from standard practice. It can cause significant inconvenience for the legitimate owner of the account if they’re locked out. Attempts to block login attempts by IP address are often fruitless as well since a hacker can easily ‘spoof’ (fake) what IP address their attempts are coming from, or make use of compromised machines (often known as zombie PCs).

Bloomberg Businessweek provides some interesting statistical data on the time it takes for a hacker’s computer to brute force your password based on the length and complexity of your password:

This data hopefully answers the “why?” questions our CSRs often get asked about elements of iiNet’s password policy. Any iiNet password must adhere to the following rules:

1. Should be at least 9 characters in length
2. Should contain a mix of upper and lowercase characters
3. Should contain at least one digit (e.g. 0-9)
4. Cannot be based on your username
5. Cannot contain spaces or tabs.

Any passwords which do not meet these requirements will not be accepted by iiNet’s systems. This applies to staff and customers alike. However, not all password systems are as strict. It’s good security practice to follow those five rules whenever you create a password on any website. Better yet, include symbols.


  1. Joshua Lay says:

    If the idea of remember complex passwords is daunting. Use a password manager.

    This way you only have to remember one password for everything. The password manager will be your brain for all your secure passwords.

    It’s also great since you aren’t going to forget a password you’ve stored.

  2. Ashley 'eagleeyed' Walker says:

    While I definately agree that iiNet’s password policy is appropiate, there is always one downside to making people use long passwords, which depending on peoples views could be even worse that having a short password.

    By encouraging people to use long passwords and encouraging them to remember it, not write it down it seems a lot of people, especially residental users will use the same password for everything thinking its safe to do so.

    Then all it takes is that one password to accidently be obtained, be it a phishing site, a sites database being compromized or other for all that users accounts being suddenly accessible, until the user finds out and has the time to go to every site and change every password.

    I think there still has to be a more universal and secure way for people to log into websites and services, be it a discussion forum or banking. Relying on codes does have some benefits, however it can also be quite a security flaw.

    Definately use longer passwords with numbers and symbols, however dont use that same password for everything, as if it does get compromized it will cause a lot more hassle.

  3. softstars says:

    Thank you..really informative!!

  4. James Sach says:

    Any chance of a universal iinet log in? (and/or password manager?)