If your password is a common word or phrase, the bad guys won't have any trouble guessing it. That's just a fact of life. If you've taken care to use a seemingly random collection of various types of characters, the time to crack it by brute force totally depends on the size of the "search space." Gibson Research's "Haystack Calculator" will analyze your password and estimate the time needed to crack it.

Why the name? It's because cracking your password is like seeking a needle in a haystack. The bigger the haystack, the tougher the search.

How Big Is Your Haystack?
The basic calculation is quite simple, and takes place entirely in your browser using client-side JavaScript. Don't worry, you're not sending your passwords to Gibson Research! First, it sums the number of possible characters based on character sets you've used. The maximum would be 95 – 26 uppercase letters, 26 lowercase characters, 10 digits, and 33 symbols.

Each character in your password could be any of those characters, so the total number of possibilities starts with the number of available characters raised to the power of the password length. To that, the calculator adds the number of possibilities for each shorter length. So, for example, the search space for the password "42" is 110. That's 100 possible two-digit passwords plus 10 one-digit passwords.

Note that each character you add multiplies the size of the security space by the number of possible characters. Adding just one character to a password that includes all character types multiplies the size of the security space by almost 100.

How Long Would It Take?

The calculator also estimates how long it would take to crack that password using three different scenarios, including a massive cracking array that can make one hundred trillion guesses per second. A 12-character password using all character types would take 1.74 centuries even under this most powerful scenario. Adding just three characters cranks that up to 1.49 million centuries.

According to the calculator, cracking a super-long but memorable insanely secure password like "JFK.1989.AskNotWhatYourCountryCanDoForYou!" would take 3.73 hundred billion trillion trillion trillion trillion centuries. Of course, the fact that this password is built from ordinary words might give the hacker a head start... but only if he knows that's the case.

The lesson is clear. If you already have a strong password, you can make it vastly harder to crack by padding it with some easy-to-remember character. Adding just three characters enlarges the search space by almost a million times. Gibson points out that the password "D0g....................." is technically stronger than "PrXyc.N(n4k77#L!eVdAfp9". Both contain all character types, but the first is one character longer.

In short, size really does matter when you're creating a password . Whatever password you come up with, you can improve its resistance to brute force attack by padding it with something easily remembered at the beginning, end, or both.