Errata Security have an interesting post on the hacking of a general’s mistress. In it, Robert David Graham looks at how long it would take someone to discover Paula Broadwell’s Yahoo! email password based on the hashed copy leaked in an email hack in late 2011. He states:

it’ll take 17 hours to crack her password using a GPU accelerator trying 3.5-billion password attempts per second, trying

all combinations of upper/lower case and digits.

(My emphasis)

I read that and thought: clearly he’s making an assumption here about the (maximum) length of the password. I wonder what the assumption was?

We can figure it out. Using maths!

All combinations of upper/lower case and digits means the following character set:

```
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1234567890
```

That’s 62 characters in all. If passwords were only one character long, there would be 62 possible unique passwords (“a”, “b”, and so on). If they’re two characters long, there would be 62 * 62, or 3844 possible passwords (“aa”, “ab”, “ac”…). More generally, if the maximum password length is *n* characters, there are 62^{n} (62 raised to the power of *n*) possible unique passwords.

So how many characters did Graham assume for Paula Broadwell’s password? Well, he said it took 17 hours at 3.5 billion attempts per second to try every possible combination.

```
3,500,000,000 attempts per second
= 3,500,000,000 * 60 attempts per minute
= 3,500,000,000 * 60 * 60 attempts per hour
= 3,500,000,000 * 60 * 60 * 17 attempts in total
= c. 214,200,000,000,000 attempts
```

So what power of 62 is that? Let’s ask Wolfram Alpha.

But before we do, ask yourself: what do you think the answer is? Have a guess. What does your intuition tell you? A quarter of a quadrillion guesses should let you crack a fairly meaty password, right?

OK, now for the answer. Hey Wolfram Alpha, what’s log base 62 of 214,200,000,000,000?

The answer: **8.00**

So there we go, he was assuming a maximum of 8 characters in her password.

Then I actually *read* the rest of the blog post. :-)

As you see, it’ll take 17 hours to brute-force

eight upper/lower case and digits, even though it tries 3.5-billion passwords/second… Had her password been one character longer, I wouldn’t have cracked it.

(My emphasis again)

Well, maybe he would, but it would have taken 62 times as long to crack – approximately 44 days. If she’d used a 12-character password – just four little characters extra – it would have taken over 29,000 years to crack it using the same brute force approach on the same hardware. Four characters to make the difference between an overnight job and one that your thousandth generation of descendants may not live to see completed. That’s pretty mind blowing.

So there you have it. Use a longer password, folks!

*This article was originally published six months ago on gist.io. I wanted to give it a permanent home on this blog.*