Check the website for the latest in Cyber Defence and Information Protection

June 2011

9-character passwords no longer secure?

Passwords of up to 9 random characters have been shown to be ‘crackable’ in relatively short time periods using the power of a standard graphics card. So keep it complex, folks.

We spotted a rather worrying blog item this month from an expert who demonstrates how the power in a modern graphics processor can be used to crack Windows passwords, once considered safe from attack, in a matter of seconds.

Vijay Devakumar decided to use an everyday Radeon 5770 graphics card together with a free password cracking software called ‘ighashgpu’ to test how quickly passwords up to 9 characters in length could be revealed. The reason for using a graphics card processor is that the structure of a modern GPU (graphics processing unit) makes it more efficient than a regular CPU for algorithms where large blocks of data are processed in parallel.

In his blog, Devakumar compares the performance of the GPU with a general purpose CPU in cracking different lengths and complexities of Windows password.

The results are amazing:


Password type
(contains only lowercase, uppercase and digits)

Time taken by CPUand Cain & Abel software

Time taken by GPU and ighashgpu software


24 secs

less than 1 second


1 hr 30 mins

4 secs


approx 4 days

17 mins 30 secs


almost 1 year

18 hours and 30 mins


43 years

48 days

what about complex passwords?

No doubt, users of passwords containing simple letter and number combinations will be concerned by the findings above. At least, they should be. But what happened when Devakumar introduced special characters into his passwords?

How can I best protect my PC?

Follow these simple tips to ensure you are as safe as possible:

Password type
(includes all symbols found on a standard keyboard e.g. >, $, &)

Time taken by CPU and Cain & Abel software

Time taken by GPU and ighashgpu software


not tested

25 days


not tested

almost 7 years


so what constitutes a safe password?

Sorry, but you must be the judge of this. We see that a 9-character password containing symbols in addition to letters and numbers will take up to 7 years to crack but, as GPU processing speeds increase, so this time will reduce.

More importantly, the number of characters is not the sole factor here. The results above clearly bear out the advice we have offered previously - namely, that the more complex the password, the longer it will take to crack. For example, it took Devakumar less than 2 seconds to crack a 10-character password containing only numbers and longer passwords still may not be any more secure if they contain dictionary words or place names.


Click here to read Vijay Devakumar’s blog entry.

If you are concerned about the security of your passwords, or how your systems would stand up to an attack please call or email us. As one of the longest established independent security specialists in the UK we are able and keen to help. Tel 020 721 9740 or email


CST  |  8-9 Lovat Lane, London, EC3R 8DW

Tel: +44 (0)20 7621 7836  |  Fax: +44 (0)20 7099 6878  |  Email:  |  Web: