How much is my password?

Sebastian Hanson
22. September 2020
Reading time: 4 min
How much is my password?

[et_pb_section admin_label=”section”]
[et_pb_row admin_label=”row”]
[et_pb_column type=”4_4″][et_pb_text admin_label=”Text”]Most people probably see good passwords as a cumbersome necessity. They come attached with a seemingly ever-changing set of rules that force us to create intricate text strings that are usually a pain memorize.

In this post I will try to highlight the joy of good passwords by assigning them a monetary value albeit admittedly an imperfect one. I encourage everybody not to see password creation as a tedium but instead to enjoy the financial catastrophe we inflict to an imaginary attacker foolish enough to attempt cracking our password. In addition I will present a scheme that allows the creation of good passwords that are also easy to remember.

But first we need some context for our discussion.

The model for our discussion

First we will only consider offline cracking — meaning that our attacker obtained a hash value generated from our password. Specifically we will assume SHA-1 hashes because of their widespread adoption for storing passwords.
We also assume that our passwords are too complex to be found in an online hash database or included in a rainbow table that can be purchased for less than 1K USD.

In order to calculate the required monetary investment to brute-force our password we will use the AWS EC2 p3.16xlarge instance as our base unit of computing which at the time of writing costs $24.28 per hour. Each of the 8 GPUs included can compute roughly 16900 MH/s (mega hashes per second) which gives us a combined total of 135 GH/s. I don’t know how many instances one could actually rent simultaneously. Since we’re doing this for fun we assume the supply to be without limits.
Lastly, for simplicity’s sake we assume the worst case scenario for our attacker, that he has to brute force the whole key space to get our password.

Cracking cost

We will now chart the cost for various password schemes by password length. The schemes are the following: lower case alphabet, mixed case alphabet, mixed case alphabet with numbers and mixed case alphabet with numbers and 10 special keys:



As we can see 8 characters and below is dangerous even with a large base character set. But once we’re past 13 characters we’re safe with any of the sets (at least within this model).

One thing we have to keep in mind is that the key space of human generated passwords is only a subset of the spaces we considered. Since we rely on patterns to generate and remember our passwords, those patterns might be inferred by an attacker and used against us. One way to avoid this is to use (pseudo-)randomly generated passwords. But those are hard to remember. Another way would be to simply make our passwords longer. A password with 15 or more characters using the alphanumeric + special characters key space will not be viable for brute forcing even if a pattern is known to the attacker.

How to generate good passwords

One simple way to generate long passwords that are easy to remember and have the desired base complexity would be to build sentences with special characters for word separation and a made up word to avoid dictionary attacks. Something like: !This@Is#My$Password%Flubbix. It’s easy to remember and has more than enough characters to be safe. For a more thorough discussion of the merits of using phrases instead of words see here.

I hope you enjoyed this post and that it gave you a new appreciation for good passwords![/et_pb_text][/et_pb_column]