23 October 2013

Ensuring you use a strong password is an important part of staying safe online.

Weak passwords can be cracked extremely quickly by computers used by attackers to automatically guess passwords—systematically attempting one password after another.

For example, in the US, a computer has been recently built that is capable of guessing any eight character Windows password in just six hours. This system targets older Windows based logons, but has set a new benchmark for the speed at which passwords can be systematically guessed. On average, this computer is capable of making 350 billion password guesses per second—which means it can theoretically attempt every word in the English Dictionary (and more) in an instant.

Newer versions of Windows have better encryption and so are significantly more resistant to this attack, however, the sheer speed at which this machine is capable of testing passwords highlights the importance of choosing strong passwords for our everyday purposes. This computer was not expensive to build.

Passwords that use common words and numbers, such as your dog’s name or your birthday are far too easy for cyber criminals to guess by setting up such a system—even using an ordinary computer.

Cyber criminals attempting ‘brute force’ attacks, as they are described, also often employ vast lists of commonly used passwords, and entire dictionary lists of likely words, as the first combinations they will try.

When websites get hacked, any revealed passwords are also often added to lists of commonly used passwords.

This means that the most likely passwords any of us use—and variations of them—get tried first of all, dramatically reducing the number of guesses and time attackers require.

In many cases this entire process can be done without the knowledge of the victim or website involved. An attacker will take a copy of the list of encrypted passwords from a computer or website, and then with simple software to automate the guessing process, they wait for as many passwords to be cracked as possible.

Weaker passwords will tend to crack sooner, while stronger passwords require far more time and more computing effort than is feasible.

Password strength

This is why password strength is a key factor affecting your online security. You want to be sure your password, at a minimum, is not one of the more easily guessed combinations out there.

‘Strength’, refers to the overall length of the password as well as the possible character combination you choose: numbers, symbols and upper or lower case letters.

A weaker password is shorter and contains a less randomised mixture of all of these.

Dates, names, teams, anniversaries, pets and places are frequently used by people for passwords, and so they are also the options attempted first by attackers.

‘Password’ is still unfortunately the most commonly used password.

A stronger password is a longer and more random mixture of characters.

The computer mentioned above can crack any eight character (Windows) password in around six hours, while a nine character password would require three weeks, and a ten character password, more than five years.

Setting a strong password

Increasing the length of your password exponentially increases the time it takes to guess it, so it is wise to choose a longer one.

Your passwords should not comprise words, but a random mixture of upper and lower case characters, number and symbols.

Stay Smart Online has lots of useful advice about setting strong passwords that you can also remember!

Below is an indication of the time taken for the system in this example to guess a password based on the number of characters (assuming a random password chosen from 95 different characters: uppercase, lowercase, numbers, symbols).

Password length Time taken


2 seconds


3 minutes


5.5 hours


3 weeks


5.4 years


515 years


48 millennia


324 billion billion years

Protecting your data

An online system, such as your online banking, uses a controlled logon system. It is able to lock out an attacker after a few incorrect guesses, but only some systems on the internet have this ability. Cyber criminals often target this weakness in systems. If data (usernames and encrypted passwords) can be taken ‘offline’, an attacker can continue guessing passwords for as long as it takes to discover the right password.

It is therefore important that you use different, strong and unique passwords.

Information for businesses

Businesses using Windows should consider enforcing a minimum password limit and disable the LM algorithm. The LM algorithm is a weaker form of encryption that allows for password guessing at a faster rate than the newer NTLM algorithm, which is the default on versions of Windows since 2003. This is still commonly left active by some businesses for compatibility purposes.

Information for home users

Home users with Windows versions earlier than 2003 (such as XP) should consider upgrading their operating system. Improvements in password encryption algorithms are included by default in newer Windows operating systems.

(Microsoft will also cease its support for Windows XP in April 2014—another good reason to consider updating your operating system).

More information

The computer described in this example is discussed further on the blog WBITT.

Stay Smart Online has more information on choosing appropriate passwords and implementing security policies for businesses.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.


Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.


This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.


Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online