To crack 17-character AES password: 100 years and 1 billion dollars

In my previous ‘Free File’ article, I briefly reviewed the open-source compression-utility 7-Zip. Like most other archiving tools, 7-Zip is also capable of encrypting your files. To do this, it utilizes industry standard AES-256 encryption (a.k.a. Rijn Dael) and recommends a password strength of 10 characters or more. The Help-function in 7-Zip has a nice illustration of what it would take to crack a secure AES password.

To accomplish this, one would need:

  • cesspools of time
  • a processor capable of checking 10 passwords per second 
  • to check 10 billion passwords per second, a budget of at least 1 billion dollars

To illustrate the importance of adequate password length, here’s a comparative table:

Password Length Single User Attack Organization Attack
1 2 s 1 s
2 1 min 1 s
3 30 min 1 s
4 12 hours 1 s
5 14 days 1 s
6 1 year 1 s
7 10 years 1 s
8 19 years 20 s
9 26 years 9 min
10 37 years 4 hours
11 46 years 4 days
12 55 years 4 months
14 64 years 4 years
15 82 years 22 years
16 91 years 31 years
17 100 years 40 years
Advertisements

6 thoughts on “To crack 17-character AES password: 100 years and 1 billion dollars

  1. Sir,Commendable information.I would further like to know, the data security in cryptainer files with more than 20 digits ( alpha ) password is secure enough ?

  2. Sir,Commendable information.I would further like to know, the data security in cryptainer files with more than 20 digits ( alpha ) password is secure enough ?

  3. Care to show your working? A factor of 30 difference going from a 2 to 3 characters password (which would only be correct if you had a 30 character alphabet) yet only a factor of 1.1 from 16 to 17 characters? How does that work?

  4. Yeah, this table is completely wrong. If the size of the set of possible characters is C and the maximum number of characters in the password is N, then you will require roughly C^N/2 tries to crack the password — the table appears to be assuming that you require on the order of C*N tries. A truly random 17 character password is wholly outside of the reach of pretty much anyone nowadays. Also, your statements assume that you can get another computer for only one dollar, and assumes it doesn’t cost anything to power them. Finally, chances are you aren’t trying to crack the password using AES, but using some hashing scheme which generates the actual key AES uses, and depending upon the hashing scheme you could possibly perform many millions or only a few guesses per second. Trying to crack the AES key directly would be utterly infeasible.

  5. Hello there, just became aware of this website through Bing, and found that it is truly informative. I am gonna check out for new articles. I will be grateful if you continue this in future. Many people will get help from your posts. Bye!

  6. Pingback: Ten ways you can avoid being caught in the PRISM net | True Activist

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s