Saturday
Mar292008
To crack 17-character AES password: 100 years and 1 billion dollars
Saturday, March 29, 2008 at 5:45PM In my previous 'Free File' article, I briefly reviewed the open-source compression-utility 7-Zip. Like most other archiving tools, 7-Zip is also capable of encrypting your files. To do this, it utilizes industry standard AES-256 encryption (a.k.a. Rijn Dael) and recommends a password strength of 10 characters or more. The Help-function in 7-Zip has a nice illustration of what it would take to crack a secure AES password.
To accomplish this, one would need:
- cesspools of time
- a processor capable of checking 10 passwords per second
- to check 10 billion passwords per second, a budget of at least 1 billion dollars
To illustrate the importance of adequate password length, here's a comparative table:
| Password Length | Single User Attack | Organization Attack |
| 1 | 2 s | 1 s |
| 2 | 1 min | 1 s |
| 3 | 30 min | 1 s |
| 4 | 12 hours | 1 s |
| 5 | 14 days | 1 s |
| 6 | 1 year | 1 s |
| 7 | 10 years | 1 s |
| 8 | 19 years | 20 s |
| 9 | 26 years | 9 min |
| 10 | 37 years | 4 hours |
| 11 | 46 years | 4 days |
| 12 | 55 years | 4 months |
| 14 | 64 years | 4 years |
| 15 | 82 years | 22 years |
| 16 | 91 years | 31 years |
| 17 | 100 years | 40 years |
Reader Comments (4)
Sir,
Commendable information.
I would further like to know, the data security in cryptainer files with more than 20 digits ( alpha ) password is secure enough ?
Sir,
Commendable information.
I would further like to know, the data security in cryptainer files with more than 20 digits ( alpha ) password is secure enough ?
Care to show your working? A factor of 30 difference going from a 2 to 3 characters password (which would only be correct if you had a 30 character alphabet) yet only a factor of 1.1 from 16 to 17 characters? How does that work?
Yeah, this table is completely wrong. If the size of the set of possible characters is C and the maximum number of characters in the password is N, then you will require roughly C^N/2 tries to crack the password -- the table appears to be assuming that you require on the order of C*N tries. A truly random 17 character password is wholly outside of the reach of pretty much anyone nowadays. Also, your statements assume that you can get another computer for only one dollar, and assumes it doesn't cost anything to power them. Finally, chances are you aren't trying to crack the password using AES, but using some hashing scheme which generates the actual key AES uses, and depending upon the hashing scheme you could possibly perform many millions or only a few guesses per second. Trying to crack the AES key directly would be utterly infeasible.