I’ve always questioned whether there was any benefit in changing my password, so I thought I would try and work it out.

The initial conditions are:

- Someone is already trying to hack my password and methodically working through the combinations
- No-one is currently trying to hack my password

If I’ve got a password that is 8 characters long, using all the allowable printable characters , there are 645,753,531,245,761 possible options. Lets say a computer can check 10,000 per second, then on average it will take 645,753,531,245,761 / (10,000* 2) seconds to crack. To keep it simple lets round the numbers a bit.

Total number of options = 6.45 x 10^{14}

Options tried per second = 1 x 10 ^{4}

Seconds per year = 3x 10^{7}

So, the simple calculation to crack my password (on average) is

6.45×10^{14 }/ (1 x 10^{4} * 2 x 3×10^{7} ) years,

That’s about 1,000 years if I’ve got my sums right.

So, setting aside whether I need to change my password at all, given I’m unlikely to have it for 1,000 years (and if we were going to make this argument properly, we should probably look at when there is an unacceptable risk of my password having been cracked rather than the mean time to crack.

If no one has started cracking my password , then there is no benefit in changing my password as it’s not going to change the probability of avoiding cracking (one could probably argue that changing it increases the risk slightly as I might have to write it down in order to remember it if I change it often)

So the benefit rests on:

- How likely is it someone is hacking my account right now
- Does changing my password increase or decrease the probability of them working it out.

I’ve not got the data to calculate (1), so lets look at (2). The diagram below shows position when someone is hacking my account – they have already tried a number of passwords – let’s call this value t. They haven’t tried the remainder and my password sits somewhere in the remainder (assuming I know I haven’t been hacked yet).

So, t is the number of passwords already tried.

T is the total number of combinations

nt is the number of passwords not tried or nt = T – t.

p is the index of my password in the total number of combinations

The probability that my password is next to be hacked is 1/(nt), assuming that my password lies randomly in the untried set.

If I change my password, there’s a chance that I jump into the already tried set (a good thing) of t/T and there’s a change of 1/(T-1) of unfortunately choosing the next password to be tried. In this case, clearly 1/(nt) > 1(T-1) so changing my password is a good thing.

Let’s as the question does changing my password have more chance of moving me closer the boundary where the hacker is.

The number of combinations lying in the boundary between where the hacker currently is and my password is (p – nt), so the probability of choosing a password in this range is

(p – nt)/ (T-1)

NB the -1 is because we assume that my password needs to be changed to something different.

So the answer to the question should I change my password rests on whether

(p – nt) / T-1 > 0.5 – i.e. am I more likely to choose somewhere in the danger area or outside it.

Or

(p-nt) > ½ (T-1)

Whether this is true or not, depends on where my password started, the order the hacker is working through the set and how far through it is.

So, the answer to the question, is it worth changing my password is

**Only if you know how far through hacking your account someone is, other wise it might increase the risk.**

This seems to fly in the face of standard IT security practise, so whilst it will probably be embarrassing, could someone point out the flaw