This matrix will allow you to judge how quickly a hacker or assessor can break your password with the current cracking methodologies. We will compare several different password configurations in this exercise based on the following parameters:
Passwords with all numbers
Passwords with all letters (Lowercase)
Passwords with all letters (Uppercase)
Passwords with letters and numbers (Mixed case)
Passwords with letters, numbers and 14 symbols (Mixed case)
To learn how to replicate this analysis, please review the Cracking with Cain tutorial located on this site. All times bruiting times are relative to the processing power and memory compliments of the test system. Results may vary.
Note: Passwords with less than 6 characters are not considered in this analysis because there is no need to discuss a password of that simplicity. Even the most complex passwords containing only 5 characters can be brute forced in less than 2 hours and as are not worthy of analysis.
Note: The time necessary to perform and successfully complete a dictionary attack is directly proportional to the computers ability to read and compare dictionary files against the hashes and the size and length of the dictionary files used in the attack. A recent test of the Ramius Dictionary file (1.08 GB) processed over 800 hashes in 1 hour in 10 minuets with a success rate of 41%. The passwords being decrypted ranged from blank values to passwords in excess of 13 characters. The computer utilized was an HPnx9500 with dual P4 processors with 1 GB of ram operating Cain 2.5 on a Windows 2000 SP4. Your time and results may vary, but as a rule of thumb is about 1.5 hrs per gig of dictionary files. Refer to the Dictionary Cracking tutorial on this site to learn more about the advantages of Dictionary attacks and why they are used in every RT engagement, even with a full set of rainbow tables is available for all hash types being tested.
Brute forcing: LAN Man hashes |
Bruiting |
Rainbow Tables* |
|
|
|
6 digit pass with all numbers |
1 seconds |
28 minutes |
6 digit pass with all letters (Lower or upper) |
4 minutes |
28 minutes |
6 digit pass with letters and numbers (Mixed case) |
10 hours |
28 minutes |
6 digit pass with Mixed Alpha and 14 symbols |
1.54 days |
28 minutes |
|
|
|
7 digit pass with all numbers |
9 seconds |
28 minutes |
7 digit pass with all letters (Lowercase) |
1.5 minutes |
28 minutes |
7 digit pass with letters and numbers (Mixed case) |
27.4 days |
28 minutes |
7 digit pass with Mixed Alpha and 14 symbols |
113 days |
28 minutes |
|
|
|
8 digit pass password with all numbers |
1.2 minutes |
28 minutes |
8 digit pass with all letters (Lowercase) |
1.6 days |
28 minutes |
8 digit pass with letters and numbers (Mixed case) |
4.6 years |
28 minutes |
8 digit pass with Mixed Alpha and 14 symbols |
23.5 years |
28 minutes |
|
|
|
9 digit pass with all numbers |
11 minutes |
28 minutes |
9 digit pass with all letters (Lowercase) |
57 minutes |
28 minutes |
9 digit pass with letters and numbers (Mixed case) |
378 years |
28 minutes |
9 digit pass with Mixed Alpha and 14 symbols |
2370 years |
28 minutes |
|
|
|
10 digit pass with all numbers |
2.6 Hours |
28 minutes |
10 digit pass with all letters (Lowercase) |
4.8 years |
28 minutes |
10 digit pass with letters and numbers (Mixed) |
23481 years |
28 minutes |
10 digit pass with letters and numbers (Mixed) |
182000 years |
28 minutes |
|
|
|
11 digit pass Mixed Alpha and 14 symbols |
1.724533e+007 years |
28 minutes |
12 ddigit pass Mixed Alpha and 14 symbols |
1.01826e+009 years |
28 minutes |
13 digit pass Mixed Alpha and 14 symbols |
8.07159e+010 years |
28 minutes |
14 digit pass Mixed Alpha and 14 symbols |
6.09418e+012 years |
28 minutes |
MATRIX - HOW LONG WILL IT TAKE TO CRACK MY PASSWORD? 
