### Password Complexity and Cracking Speed

This activity can be prepared as either an interactive activity or a pre-defined worksheet. Interactive components are asking students for password patterns and asking students to look up cracking speeds of GPU machines online.

If used in non-interactive mode, prepare password patterns and cracking speeds in the handout ahead of time. Here is a table of common password cracking rates:

GPU Power | MD5 Algorithm | SHA1 Algorithm | SHA256 Algorithm | SHA512 Algorithm | bcrypt Algorithm |
---|---|---|---|---|---|

1 low-end GPU | 2.8 billion/sec | 879 million/sec | 337 million/sec | 103 million/sec | n/a |

1 mid-to-high-end GPU | 6.2 billion/sec | 2.4 billion/sec | 1.2 billion/sec | 90 million/sec | 4.5 thousand/sec |

1 high-end GPU | 7.9 billion/sec | 2.5 billion/sec | 1 billion/sec | 179 million/sec | n/a |

8 high-end GPUs | 93.8 billion/sec | 29.5 billion/sec | 12.3 billion/sec | 2 billion/sec | n/a |

25 mid-to-high-end GPUs | 180 billion/sec | 63 billion/sec | n/a | n/a | 71 thousand/sec |

The important part of determining the search space is knowing the number of possible characters in each type of character set. The following are common character sets:

Type of charset | Number of Characters |
---|---|

Digits/Numbers | 10 |

Lower-case Letters | 26 |

Upper-case Letters | 26 |

Symbols (e.g. # ! @ * % } = ? ,) | 34 |

All 7-bit Characters | 96 |

For the examples, draw an empty box for each character in the password. Under the box, say what type of charset it is. Inside the box, write how many characters are in that charset. Then show the students how to calculate the number of permutations by multiplying the boxes together. If the pattern uses the same type for each character, this can also be used to show how permutations can be calculated by exponents.

**Example 1**: 8 lower-case characters

____ ____ ____ ____ ____ ____ ____ ____ | | | | | | | | | | | | | | | | | 26 | * | 26 | * | 26 | * | 26 | * | 26 | * | 26 | * | 26 | * | 26 | |____| |____| |____| |____| |____| |____| |____| |____| Lower Lower Lower Lower Lower Lower Lower Lower26 * 26 * 26 * 26 * 26 * 26 * 26 * 26 = 26

^{8}

**Example 2**: 7 characters, either lower-case or digits/numbers

Now the number of characters for each "slot" will be 26 + 10 = 36.

____ ____ ____ ____ ____ ____ ____ | | | | | | | | | | | | | | | 36 | * | 36 | * | 36 | * | 36 | * | 36 | * | 36 | * | 36 | |____| |____| |____| |____| |____| |____| |____| LowerNum LowerNum LowerNum LowerNum LowerNum LowerNum LowerNum36 * 36 * 36 * 36 * 36 * 36 * 36 = 36

^{7}

**Example 3**: 6 lower-case characters followed by 2 numbers/digits

____ ____ ____ ____ ____ ____ ____ ____ | | | | | | | | | | | | | | | | | 26 | * | 26 | * | 26 | * | 26 | * | 26 | * | 26 | * | 10 | * | 10 | |____| |____| |____| |____| |____| |____| |____| |____| Lower Lower Lower Lower Lower Lower Number Number26 * 26 * 26 * 26 * 26 * 26 * 10 * 10 = 26

^{6}* 10

^{2}

You can either pre-calculate the result or have students use calculators to calculate the results, depending on their level of mathematics preparation.

Note: If you give the students the above table, this exercise can also be used to show how to convert between billion, million, etc. The numbers can also be expressed in scientific notation to reinforce those lessons.

Size of the Search Space Maximum Time to Crack = ------------------------ Password Cracking RateIf the result is large, this exercise can also be used to teach time unit conversions, e.g. convert seconds into minutes, hours, days, years, etc.

Comparing a fast algorithm (e.g. MD5) to a slow algorithm (e.g. bcrypt) can also be done during the activity.