How long does it take to hack your password? (Security guide)

How long does it take to hack a typical password? Using brute force attacks between instantly and 438 trillion years.

Many thanks to Graeme Reardon, Managing Director of D-Link ANZ, who answered Jeffrey Kemp’s question, “Why do D-Link routers not accept simple passwords”.

Graeme answered on Boxing Day – that is service. ‘We disabled ‘simple password’ support a few years ago. The rise in IoT devices that still only support these types of passwords is a key reason why people continue to get hacked.”

He also attached research from Hive Systems, which is both gobsmacking and disturbing.

How long does it take to hack your password?

You see, not only are there brute force attacks (throw the dictionary at it), but AI machine learning and advanced graphics processing technology have slashed the time. Over the past two years, the most complex 18-character passwords have reduced in cracking time from 7 quadrillion years to a scant 438 trillion years. You can imagine what that means for simple passwords that most use.

What AI means to faster cracking

Let’s say you use a name (any name), fred. That is an instant crack.

  • OK, make that freddie – another instant crack.
  • Why not add a number and capitalise at least one letter (best not to capitalise the first letter – AI knows that trick) – fredD1e, and we are up to 1 minute.
  • Why not add a symbol? We suggest you avoid every symbol above your numbers on the keyboard as AI will try to substitute them first – fredD1; and you have a six-minute crack.

That is too easy for a hacker and AI.

Hive has a few recommendations to slow down a hack of your password (paraphrased)

  • Don’t use below a mix of 12 characters with Upper-and-Lower-case letters, numbers, and symbols. All of a sudden, it takes 3,000 years to crack. Sixteen characters are now recommended.
  • Thinks of a relevant phrase to extend the password (and not ones that are well worn or books, websites you frequently visit, or hit TV series names) like fredD1;theFox, and you are at 202,000 years to crack.
  • Never use the same password or partial password. It is not safe to use fredD1; as the root of the password for multiple sites, e.g., freD1;the Fish, freD1;the founder…
  • Never use your children’s or pet’s names as the root because AI already knows these from social media – it is smart. Totally unrelated names and phrases are best.
  • Please do not use your address (unless it is from several houses ago before 1992), date of birth, or phone number.
  • Do not store your passwords in email (like Outlook or Gmail), sticky notes, or text files on your computer.
  • Do not rely on Samsung, Google, or Microsoft Edge when they offer to store logins and passwords.
  • Use LastPass Password manager, free for a PC or Mac. Get a family subscription if you want to use it on smartphones, PCs, tablets etc. You set up a Master Password like fredD1;theFlounder and LastPass can store your existing passwords and generate new tough-to-crack ones. The paid version also has a secure folder where you can store details like Medicare, passport, driver’s licence, bank account numbers etc. We can’t live without this, especially as it allows biometrics (fingerprint) access to the password vault.

Finally, test your passwords at – my master password takes seven quadrillion years to crack, and I change it every 90 days.

What do hackers do with cracked passwords?

The most obvious is to access the internet account and try to defraud it. AI also combines all your dark web personal profile data to see if it can guess other passwords based on that root.

There is a massive market for cracked Facebook, Twitter, TikTok, Instagram and other social media accounts as it is sold to online marketers to use your account to promote their wares. There is also a market for video and audio streaming services.

If that account is your

  • Bank account they can empty it.
  • Telephone or internet provider, they can transfer the service to use for online marketers
  • Government Departments like Centrelink, they can divert pensions, NDIS and more
  • If they get 100 points of ID, they can apply for loans and more in your name. Fast-money and BNPL services are a massive target as they don’t conform to APRA regulations.

CyberShack’s view – How long does it take to hack your password? Nowhere near long enough

If I get one message out to you, that is to spend a little time with a password manager (LastPass) and fix this once and for all. Once you have, you do not need to change passwords unless there is a hack.

I am sure we all know at least one friend that has been hacked. From January to September 2022, Aussie consumers lost nearly $500 million to hackers, and 96% of us have had scam emails, SMS or calls to carry out remote access scams.