Quiz Entry - updated: 2026.05.31
A 10-character password using only upper- and lowercase letters can be brute-forced in ~3 days on rented AWS hardware. What does that imply for risk management?
~3 days × 24 h × $25/h × ~0.5 average = ~$900 — the economic "value" of cracking that password to an attacker.
The example (from a Security Factory benchmark of NTLM hashes at 632 GH/s on an AWS p3.16xlarge) makes risk concrete:
- Cost to attacker ≈ price they'd pay for what's behind the password. If your account protects $5 of value, no one rents the box. If it protects $5 million, $900 is a bargain.
- Adding length and special characters flips the economics fast: 12 chars + symbols → ~162 years; 14 chars + symbols → ~176 bn years.
- A password policy is therefore not just a UX rule — it's a risk-reduction control whose strength is measured in dollars an attacker would need to spend.
Tip: Whenever someone says "is this password strong enough?", reframe as: how much would it cost an attacker, and is that more than the asset is worth? That is risk thinking applied to a single control.