Notes on password strength

The words are chosen from a list of 5461 common British English words. 3811 of these are between 4 and 8 characters (the standard min and max values). The table below shows how long it would take to crack a password with 2, 3 and 4 words at 3 different rates, using a brute force attack which just goes through all the possibilities.

A rate of 1000 per second is referred to in the xkcd cartoon as a plausible attack on a weakly secured server; whether a given password could be cracked at this rate would depend partly on how careful the sysadmin was when they set up the server, for example by preventing too many bad logins on the same username in a given time.

Number of wordsBrute force cracking time at:
1000 per sec1 per sec1 per minute
24 hours 2 minutes168 days27 years
31 year 270 days1755 years100 thousand years
46,600 years6,600 thousand years400 million years
8 random letters
(For comparison)
6 years 227 days6,600 years6,600 thousand years
6 random letters3 days 14 hours9 years 290 days580 years

Back to the intro page.