A hacker uses a password cracking tool that will try to login to your account by trying all the possible password combination. A password cracking tool can test 1,953,000 passwords per second or even faster, depending on the hackers resource. A password cracking tool can also use a dictionary file to test password; using passwords such as name, birthday, and words can be hacked in 1 second or less. They can also use multiple computers to make the cracking process even faster.
Character set length plays a big role in password difficulty. A character set length is the number of character available for a character set. For example, a lower case alpha character set has a length of 26 (a-z), an upper case alpha has a length of 26 (A-Z), and a mixed case alpha has a length of 52 (a-z + A-Z).
Another is the password length, the longer your password is, the more difficult it is to hack. The relationship between password length and character set is possible_combinations = character_set ^ character length. Below is a table that shows a sample result, the test speed set is 1.953 million passwords per second. The formula used for the amount of time to crack a password is duration_to_crack = possible_combinations / test_speed.
|lower/upper case alpha||1||26||0.000013 seconds|
|lower/upper case alpha||4||456,976||0.233987 seconds|
|lower/upper case alpha||8||208,827,064,576||1 day 5 hours|
|mixed case alpha||1||52||0.000027 seconds|
|mixed case alpha||4||7,311,616||3.74 seconds|
|mixed case alpha||8||53,459,728,531,456||316 days 19 hours|
|mixed case alphanumeric||1||62||0.000031 seconds|
|mixed case alphanumeric||4||14,776,336||7.56 seconds|
|mixed case alphanumeric||8||218,340,105,584,896||3 years 6 months|
|mixed case all-characters||1||94||0.000048 seconds|
|mixed case all-characters||4||78,074,896||39.98 seconds|
|mixed case all-characters||8||6,095,689,385,410,820||98 years 11 months|
Defending from password cracking
The number one defense is to have a complex password combination with at least 8 characters long. Your password should be "easy to remember, hard to guess". If your password is too complex that you need to write it because you keep on forgetting, then you're doing it wrong.
The second line of defense is to check if your application supports account lockout policy. A lockout policy temporarily disables an account after a certain number of invalid login attempts. For example, after 3 invalid login attampts with your account, your account is temporarily disabled for 10 seconds. This means that the hacker can only try 3 passwords every 10 seconds.
The third defense is to prevent automated logins and can be done with the use of CAPTCHA. A CAPTCHA is test that determines wheter the login is done by human or computer. For example, a CAPTCHA might ask the user to select pictures that contains donut before login or might ask the user to type the distorted letters and numbers in a picture before login.
The second and third defense may not be always available, it will depend on your service provider if they support such feature; the best measure is still to use a hard to guess password because it does not rely on any third party implementations.