# Sometimes we can’t even get the basics of Cybersecurity correct

Okay. A simple tutorial for you. Let’s take a password of “Apple”. If we use SHA-1, we hash this password and get a hash of [here]:

476432A3E85A0AA21C23F5ABD2975A89B6820D63

Now we have used a 128-bit hashing method (SHA-1), there are 2¹²⁸ different hashes. If we brute force with a 1TH/sec cracker, it will take (2¹²⁸/1x10¹²):

3,400,000,000,000,000,000,000,000,000,000,000 seconds

But we do not need to do this, as passwords are often not random, so we can either perform a dictionary attack or brute force with a given character set. So, let’s say a dictionary attack will not work, and now let’s see how long it will take to crack our hashed password.

If we assume we have upper and lower case, along with numbers and other characters [!@#\$%^&*()+_], we have 74 different characters, so a 5 character password has 70⁵ different combinations. If we use a 1 THash/sec cracker, the maximum time to crack the password will be 70⁵/1x10¹², and which is equal to 2.2 ms (one thousands of a second).

2.2 millisecond

Now let’s add another character (to give 6 characters), and we get 0.16 seconds, and another to give seven characters (12.15 seconds). With eight characters we get 14.99 minutes. The following gives the calculation [here]:

We can see that a nine character password takes less than a day to crack, but that a 10 character password takes nearly two months to crack. Our advice that we are given is thus to use passwords which are AT LEAST 10 characters long.

And so surely companies support users to put at least 10 character passwords in, as we now typically use strange pass phrases? Well, perhaps not in some cases, as someone discovered the HSBC did not check the password after a given number of characters:

The bank — on Twitter — says that it is not a security issue. Pweh! But it perhaps get even worse, where we considerably reduce the character set:

If you follow the stream, you see lots of others saying the same thing, and some even saying that some banks only take the first six characters:

This is the most basic things of things in Cybersecurity, and — if true — for a bank to be ignoring your characters after a given number is fairly shocking. The password must thus be truncated before it is hashed, and which makes no sense at all, as a hashed value output is always of the same size, so the longer the password the better.