All passwords are first hashed before being stored. A hash is a one way mathematical function that transforms an input into an output. It has the property that the same input will always result in the same output. Modern hashing algorithms are very difficult to break, so one feasible way to discover a password is to perform a brute force attack on the hash.

There are a few factors used to compute how long a given password will take to brute force. To compute the time it will take, you must know the length of the password, the character set used, and how many hashes can be checked every second.

On a modern computer (8 core, 2.8 GHz) using the SHA512 hashing algorithm, it takes about 0.0017 milliseconds to compute a hash. This translates to about 1.7*10^-6 seconds per password, or 588235 passwords per second. Although we will not use the metric in this article, it is important to note that a GPU, or 3D card, can calculate hashes at a speed 50-100 times greater than a computer. For the purposes of this KB article, we will calculate how long given passwords can be cracked using a single modern computer. We also calculate how long they can be cracked using a supercomputer, which is approximately equivalent to a botnet with 100000 computers. Modern supercomputers can be up to 150000 faster than their desktop counterparts and a 100000 computer botnet is feasible; the largest botnet to date is estimated to have 12 million computers. We also assume that on average, the password will be cracked when half of the possible passwords are checked.

To demonstrate the importance of password complexity, let's start with a pincode password such as "123456789". In this case, the character set (0123456789) consists of 10 characters. For a 9 digit password using this character set, there are 10^9 possible password combinations. Therefore, it will take (1.710^-6 10^9) seconds / 2, or 14.17 minutes, to break this password on average. On a supercomputer or botnet, we divide this by 100000, so it would take 0.0085 seconds to break a password. //

o, even if you use a very secure set of characters, your password should be at least 10 characters long. To break a 10 character password that uses letters, numbers, and symbols, such as "%ZBGbv]8g?", it would take (1.710^-6 80^10) seconds / 2 or 289217 years. This would take about 3 years on a supercomputer or botnet.