I discovered today that the 20 character randomly generated password I thought I’d been using for an online banking service was actually being constrained to 6 characters by the bank. That got me doing some calculations…
With other restrictions they put in place I think the total possible number of passwords available is roughly 62 * 62 * 61 * 61 * 61 * 10 or 8.7 billion.
In the best case* scenario (passwords salted and then hashed using bcrypt with enough rounds to slow down attackers without making login times too slow) I think it would probably take a budget password cracking rig about 28 hours (on average) to crack each password if someone ever got hold of the data.
That’s probably slow enough to be a deterrent for many systems but I doubt that would stop an attacker who is going after bank log-ins!
Using the same calculations, and leaving the other password restrictions in place, increasing the password length to seven increases average cracking time to 1,697 hours (70 days per password) while eight characters increases it to 103,538 hours (almost 12 years) on that budget rig.
Even better would be to increase it to a minimum of 12 characters (with no maximum length) to make it 163 million years per 12 character password. That way, even if an attacker could somehow go 1 million times quicker than the budget rig, it would still take 163 years per password, more than enough time for the bank to detect a breach has occured and notify their customers to change their passwords.
* I’m hoping the best case scenario is true. One would assume that security staff at one of Australia’s biggest banks HATE the fact that their customer’s passwords are so short but can’t do anything about it yet for legacy reasons. The worst case scenario is that this is indicative of systemic problems at the bank and there are several other poor security practices in place… no salting, a fast hashing algorithm (or worse, no password hashing), etc. If that’s the case, every single password would likely be compromised within hours of a breach occuring.