I run cloudcracker.com, which would have gotten this pretty quickly.
If you look at public password compromises, the components of this password "900", "gage", and "!@#" each appear pretty frequently. So using a data-driven approach to build context free grammars based on real-world passwords you've found or already cracked will get passwords like this every time.
Basically, everyone thinks they're clever when they choose a password, but for the most part people are all being "clever" in the same way. If you think up your password, chances are you've lost.
Thanks for your reply, Moxie! How would cloudcracker fare against the four-word combos recently popularized by xkcd[1]? Even if it were known that the password was made up of four English words, what sort of time frame might it require to crack?
The comic claims an entropy of 44 bits for a 4-word phrase. That means 11 bits per word, so a dictionary of 2048 words, which sounds reasonable for "common English words".
A single ATI 5970 can compute 2300M SHA-1 hashes per second. So you're looking at about two and a half hours to run through the entire keyspace. Fewer on a farm (which Amazon will rent to you for a few bucks). That's assuming you know the dictionary, of course.
Of course, if the password is hashed with bcrypt or scrypt it will take much longer, although I'm not sure how to do that calculation.
Assuming you knew the dictionary and just wanted to add entropy, get a bigger dictionary. A sample one I downloaded has about 7261 unique 4-letter words, or about 16,920 5-letter words, combined it's 24,181 words. Between four and six letters there's 56,099 words.
Each of those sets will bring you up in entropy, from two quadrillion up to nine quintillion permutations. That would take the ATI 5970 about 4306184595 seconds, or 136.4 years. If you spread that out over 100 cards that would only take you 1.3 years to crack.
Maybe that's too close to call, so you can always change your password every 60 days to mitigate people with more money/time on their hands. If anyone ever wants my password that bad they should just give me the money they'd spend on cracking and i'll give them my password ;)
you're looking at about two and a half hours to run through the entire keyspace
That's a little faster than howsecureismypassword.net's estimate (154 octillion years on a desktop PC to crack "correct horse battery staple" (without quotes)).
It's pretty likely you do. Just take the N most common English words, and retry with a higher N if that doesn't work. That will crack "correct horse battery staple" quickly.
I think that's totally on the right track, but if people start to do that, chances are that they'll start to create exploitable patterns again (maybe they already exist, I don't even really keep track of how my password cracking dictionaries are evolving).
What I recommend is that people use diceware (http://www.diceware.com) to create a six-word passphrase, which they use to secure a password manager. Then use the password manager to generate random 12-character (alpha+numeric+symbol) passwords for each login.
Thanks for the followup, Moxie! Very much appreciate such an informed opinion. I've been following your recommendation, albeit with KeePass instead of Diceware. I have purposely avoided any sort of integration with browsers or closed-source software; security certainly trumps convenience or features.
Four English words chosen with a truly random generator will obviously give 4 times log(<size of dict>) bits of entropy. Four English words that you came up with yourself is different. I'd choose "sky blue ice dawn" :)
The nice thing about this technique is that it's pretty easy to remember randomly selected words. But even if you think them up yourself, you probably don't substantially shrink the key space an attacker has to search through as long as you avoid grammatical structures and words that have obvious connection to you.
If you look at public password compromises, the components of this password "900", "gage", and "!@#" each appear pretty frequently. So using a data-driven approach to build context free grammars based on real-world passwords you've found or already cracked will get passwords like this every time.
Basically, everyone thinks they're clever when they choose a password, but for the most part people are all being "clever" in the same way. If you think up your password, chances are you've lost.