Gordon E. Moore, co-founder of Intel, published a famous observation in a 1964. He basically said, “It seems like the number of transistors we can put on a processor doubles about every two years.” Popularly called Moore’s Law, this observation has been generalized to say that computing power in general follows an exponentially increasing trend.

My point? This does not bode well for passwords.

The book The Cuckoo’s Egg details perhaps the first well-documented case of password cracking. Its author, an astronomer named Clifford Stoll, uncovered the attempt in 1986. He estimated that a dictionary attack (where the cracker guesses a password using a list of common choices) would take about a month. A brute force attack (trying every possible character combination), he thought, would be unthinkable.

Nevertheless, in 1989, Feldmeier and Karn published “UNIX Password Security - Ten Years Later.” They observed that the average priced computer had increased its ability to crack passwords by five orders of magnitude in ten years. They estimated that a dictionary attack would now take 2 minutes on common hardware, and a brute force attack, at 1000 guesses per second, would take 208,000 years to guess all possible combinations for an 8-character password.

Fast-forward 11 years. In 2000, a dictionary attack takes a matter of seconds. 48,000 guesses can be made per second, and an 8-character password would take 4764 years to exhaust.

Two years later, GeodSoft estimated that 100,000 guesses could be made per second. That’s 2000 years to try all 8-character passwords.

Today, the software John The Ripper can reach 1.6 million password guesses per second under some circumstances. That’s 160 times what was estimated five years ago. If you started today, on the right computer, you could guess every single possible 8-character password in under 13 years.

A decade still sounds like a lot, but compare that to the nearly 5 millenia it would have taken seven years ago.

There’s only so long that the human brain’s capacity for memorizing passwords is going to outpace computers’ ability to guess them.

This motivates what I’m calling the First Principle of Sustainable Authentication: Authentication should remain relevant and viable in spite of advances in computing power.