Introduction
Currently Synapse only requires users to choose passwords that are at least one character (a 3rd party security audit recently raised this issue). A single character password is ridiculously weak.
Why does password strength matter? Any password can be hacked using a brute-force attack. The only question is how long will it take for the take to guess the password. Weak passwords can be hacked in seconds, while a strong password could take centuries to hack. With a single character password (assuming: a-z, A-Z, 0–9) it only takes 62 attempts to hack.
Randomly Generated Passwords
Password strength for a randomly generated password is a function of the the size of the character space and the number of characters used for that password. To illustrate this KeeyPass was used to randomly generate the following passwords (using only a-z, A-Z, 0–9) . Each password was then tested against: zxcvbn demo to calculate how long a brute force attack would take for each. The demo gives an estimate for unthrottled online attacks which assumes an attacker can make 10 attempts per second. The demo also estimates for throttled online attacks that limit the number of attempts an attacker can make to 100 per minute.
| Random Password | Number of Characters | unthrottled online attack (10 / Second) | throttled online attack (100 / Minute) |
|---|---|---|---|
| 'B' | 1 | less than a second | 7 minutes |
| 'aw' | 2 | 1 second | 1 hour |
| 'tJo' | 3 | 10 seconds | 10 hours |
| '1P4S' | 4 | 2 minutes | 4 days |
| 'yHm6X' | 5 | 17 minutes | 1 month |
| 'co9dDQ' | 6 | 3 hours | 1 year |
| '52P5d23' | 7 | 1 day | 11 years |
| 'NAcviDGM' | 8 | 12 days | centuries |
This test illustrates that throttling to limit the number of attempts is probably more important than password size. Currently, Synapse does not throttle login attempts so ten attempts per second is possible.