The results can be alarming as it shows how quickly high powered computers can defeat most passwords in use today. The purpose of showing the results is to highlight the threat posed by attackers with access to multimillion dollar supercomputers as well as those equipped with affordable and widely available GPUassisted PCs and workstations.
The BruteForce Attack
Passwords can be compromised multiple ways. If the adversary was unsuccessful capturing the plaintext password the alternative is to attempt to recover the password through a stolen copy of the password's hashed digital signature. Bruteforce is often the method of last resort by an attacker after all knowledgebased computational attacks have been tried. The method is used because it is effective.
Bruteforce attacks are computationally driven therefore its effectiveness is determined largely by the speed of the computers available to the attacker. Given the growing performance of modern supercomputers, parallel processing graphics cards and specialized hashproducing ASICs, the power available to adversaries is formidable and rapidly increasing.
Entropy & MaximumTimeToDefeat
Entropy shows a password's complexity expressed as a number of bits. It is given by the formula (H = log_{2}N^{L}) where N is the password cardinality and L is length. The calculator displays entropy values for each password. However, while knowing a password's entropy enables one to calculate how many guesses are needed to defeat a password it doesn't indicate how long the password can survive a bruteforce attack using advanced computing technology available to attackers. To offer a more direct way of addressing the survivability question we have introduced the metric MaximumTimeToDefeat (MTTD). It is useful to examine password entropy and MTTD together to see the correlation between password complexity and survivability.
MaxiumTimeToDefeat
Table 1: Passwords Defeated In One Day Or Less 

Password
Length 
Password Symbols

Password
Entropy 
22

Decimal (09)

73.1 
14

Decimal, lower case alpha (az)

72.4 
14

Decimal, upper case alpha (AZ) 
72.4 
12

Decimal, upper & lower case (az, AZ)

71.5 
11 
Decimal, upper & lower case, special chars

72.1

MaximumTimeToDefeat (MTTD) is the amount of time the computer spends producing the entire set of combinations. The correct interpretation is that the computer needs no longer than the amount of time specified using a bruteforce attack. It is important to understand that the time to defeat a specific password using the brute force approach can be much less than the MTTD because there's no reason to assume the attacker will have to test every incorrect password before the correct one is found.
To illustrate the point consider a simple example. Consider one has a three character password comprised of only decimal digits (09). That password selection can produce 1,000 (10 to the power of 3) possible password combinations ranging from 000  999. Suppose one chooses a specific password from that pool of combinations and the one chosen is "333". If a bruteforce attack is launched and begins with "000" and continues working upward it will produce a corresponding match in one third the time required to generate all 1000 combinations. Choosing "777" as the password doesn't help because a brute force attack could just as easily begin at "999" and work down. Alternatively a brute force attack could start in the middle and work outward.
If one entered the parameters of the "333" password example above into the calculator they would find that the MTTD for the PC would be only .2 billionths of one second. This is virtually instantaneous. The supercomputer would defeat the password even faster. If one wants a password to have a specific lifespan they should select a design that has an MTTD far greater (possibly millions of times greater) than the desired lifespan.
How Complex Should The Password Be?
Table 2: Relative Password Strength (All Include Decimal, Upper & Lower Case Alpha) 

Password Length

Supercomputer MTTD 
PC MTTD 
8 
< 1 sec

44 sec 
10 
8 secs

2 days 
12 
9 hours

20 years 
14 
4 years

78,652 years 
16 
115,117 years

302 million years 
Table 1. above, show passwords that are all potentially defeated in less than a single day with current computing power. Row one shows that even a password 22 characters long using decimal digitsonly will be breached in under a day with present supercomputer power. Similarly, the supercomputer will defeat passwords of 14 chararcters in length with the addition of either upper or lower case characters, and do the same to a complex 11 character password consisting of decimal digits, upper & lower case and special characters. it is consistent that passwords with similar MTTD values have similar values for entropy.
Table 2 shows the relative strength of a set of passwords of varying length while holding the number of password symbols (password cardinality) constant and compared for both the supercomputer and PC. In Table 2 all passwords have decimal digits, upper & lower case characters.
Several conclusions can be drawn from this data: 1). The strength of a password composed of random characters is proportional to password length and password cardinality, 2). Longer passwords are better than short ones. Larger cardinality is better than a small one, and 3). In view of present supercomputer power it is high risk to use any password having 11 or fewer characters composed on a standard computer keyboard.
The Starting Point For Effective Password Design
Given the continuing advances in supercomputer performance along with the wide availability of highperformance PCbased accelerators, the need to employ longer and more complex passwords to protect one's data is clear. The two questions one needs to ask before creating their next password is; "What is the desired lifespan of the password?" and "Who do I need to protect the data from?". The answer to these questions will dictate the password design.
To learn how to create highly complex passwords see the Create Effective Password page.