2. Enter Passphrase Word Count:
3. Enter Iterations (Default for master password is 100,000, everything else assume 1):
- This calculator assumes the passphrase was randomly generated by a computer. Avoid picking your own master password, let a computer do it for you.
- It also assumes you’re not reusing this passphrase anywhere else; you should never reuse passphrases or passwords.
- The total given is an estimate of what it would cost to crack one persons master password.
- The total factors in the hardware and electricity costs.
- The total is half of what it would cost because we’re giving the attacker a 50/50 shot of finding the correct master password in the first half of guesses.
Why A Dollar Amount?
Instead of telling you how long it would take to crack a passphrase, we’re showing how much it would cost as it’s a far more valuable metric.
An attacker taking 2 weeks to crack a master password could be outdone by someone willing to spend more money to get it done in 1 week.
When you boil it down, time is money, so showing you the cost is the only factor that matters.
How Strong Should Your Master Password Be?
The strength of your master password will come down to what it’s protecting.
If you’re worth millions then you need a master password that would cost more than you’re worth.
Consider your attacker and how much are they willing to spend on you and then make your master password cost more than that.
Learn more about making a master password here.
How The Math Works
So if you have a 3-word passphrase using 1Password’s list (18,300) of words, that would be a total of 6,128,487,000,000 combinations.
If you take 6,128,487,000,000 and divide by 4,294,967,296 you would get 1,427 (rounded to the next whole number).
You then take 1,427 and multiply by $6 to get $8,562.
1Password rightfully assumes the attacker has a 50/50 shot of guessing the correct master password in the first half of guesses, so you would then take $8,562 and divide it by 2 to get $4,281 or about $4,200.
So with 3 randomly generated words from 1Password’s generator, it would take about $4,200 to crack.
What Are Iterations?
Websites don’t store your actual password but a hash version of it.
Think of a hash as a smoothie, if you blend the same raw materials for the same amount of time you always get the same smoothie.
The website compares the hash (or the “smoothie”) they have on file to the hash that was generated from your password to confirm you’re the correct user. Just like the smoothie, once blended, the hash can’t be returned to its raw material; the hash is irreversible, making it perfect for password storage on a server.
To slow down guessing or make your master password stronger without you doing anything extra, many password managers will hash the password multiple times. Hashing the hash over and over again is iterating the password. The more you do it, the stronger you make the password.
Adding more iterations will only linearly slow down an attacker, but adding one more word will exponentially slow down the hacker.
You don’t want too many iterations as it slows down your computer, and if your computer is too slow, you can crash it as the OS thinks it’s stuck in a loop. This is why password managers like Bitwarden stop you at 2 million iterations and also why they say to only add 50k iterations at a time.
Why Was The Passphrase Cracking Calculator Created?
I wanted to know how long should my master password be, and most of the cracking calculators on the internet never…
- Considered the number of iterations.
- The different types of word lists.
- Real-world cracking power.
It’s impossible to guess how strong your master password should be if you’re not factoring in these 3 things.