Knowing common attack vectors with a password will give you an idea of how you can calculate this. When we need a number, let's say that the desktop computer can check 4 billion (4x10 9 ) passwords per second, which seems to be right .
It is important to understand that an attacker rarely tries to crack only your password. Instead, they will have user IDs for a large number of accounts, and they want to try to hack as many of them as possible. Thus, they are paid to spend most of their time hacking simple passwords and not be bothered by difficult passwords.
0. Actually obvious attacks
Try entering a user ID for the password. It's amazing how many people do it. Your password is instantly cracked.
1. Dictionary attacks
It's simple. An attacker just needs to save a list (say) of the 10 most common passwords used during use, and check each of them once. This can be done in a second. If your password is on the list of the most common passwords, then it can probably be cracked almost instantly.
2. Brute force
If your password is not in the dictionary, then another option is to use brute force. The password cracking time using this method depends on (a) the length of the password and (b) the character set that contains the password. General formula
timeTaken = (sizeOfSymbolSet ^ passwordLength) / (4*10^9)
For example, if your password consists only of lowercase letters, then the size of the character set is 26. Here is a list of how long it may take to crack the password as a function of its length:
Length Time 4 0.1 millisecs 6 0.1 seconds 8 1 minute 10 10 hours 12 9 months
If you use all uppercase and lowercase letters, numbers and symbols, then the character set is closer to 100. It is therefore required to crack your password longer:
Length Time 4 25 millisecs 6 4 minutes 8 28 days 10 800 years 12 8 million years
Don't calm down too much though! The 8 millionth digit suggests that you have a random selection of 12 letters, numbers and characters as a password, i.e. Your password is something like
t8Qkx# rxZAM@ %Kuc;p8WHmFU xDE!XE$rLGh4 KJdx2K8BS33K HTaeCc&t46L;
How many people have these passwords?
3. Combined methods
It depends on a combination of ingenuity and brute force. This combination between the first two two methods uses common "password conventions" rather than common passwords.
For example, many people have a password in the form of a vocabulary word followed by a number. There are 2x10 5 words in the Oxford English Dictionary, so to create all combinations, the phrase followed by a number is about 2 million different passwords that can be easily checked again in a second.
Other common trails include replacing characters with similar characters - o to 0 , l from 1 , a to @ , etc. Once you have a list of dictionary words, it is trivial to generate all these replacements. By assumption, you can increase the length of the list by 1000 times, which can still be checked in about a second.
I assume that the site uses a combination of some or all of them that are suitable for determining how long it takes to crack a password.