I blogged yesterday about the Eleventh Circuit case finding that compelling a defendant to provide an unecrypted copy of files would violate the Fifth Amendment. The drives in that case were encrypted using TrueCrypt (which I've discussed here).
Suppose a drive was encrypted using a fairly average but secure password - 1 upper case letter, 6 lower case, 1 number, and 1 special character. A brute force attack could try the 2.5 trillion possibilities in about 3 days using only one computer.
If we upgrade the password to 3 upper case, 8 lower case, 2 numbers, and 1 special character, there are almost 12 quintillion combinations. Using one computer to crack it would take about 40,000 years (using modern-day computers), but if you could dedicate 100,000 computers to the task, it could be done in about 6 months.
Since TrueCrypt passwords can be up to 65 characters, these times could easily extend into millions of years.
For a handy spreadsheet to calculate your password's security, click here for one from Mandylion Research Lab. I make no promises that the calculations are accurate because the math is much to complex for me!
UPDATE: Thanks to a reader comment, I've been directed to Gibson Research Corporation's calculator (by Steve Gibson). The page contains a lot of great information on password strength and some helpful and interesting links. Thanks for the tip!
Sounds like you are not aware of Steve Gibson's Password Haystacks page: https://www.grc.com/haystack.htm
ReplyDeleteHe is a long-time security guru (he came up with the term Spyware back in the day) and this page provides a measure (in terms of centuries) that it would take to crack a password based on it's complexity.