I was playing around with a DigitalOcean droplet. Linux Ubuntu 18.04.
I had a root password about 8 alphanumeric characters long. Port 22. It would take about 3 days for hackers with Chinese IP addresses to break into it.
I replicated this experiment a couple of times. And each time it took about 3 days.
So I stopped using a password and switched to SSH keys.
DigitalOcean generates an initial root password that's 26 alphanumeric characters long. Is that much more secure? (After the first log-in DigitalOcean requires you to choose your own password, so I would choose shorter passwords of 8 characters so I could memorize them.)
Your thoughts on how long would it take hackers to brute force it?
Interesting question and testing of the hackers with the Chinese IP!
I'll assume that by 'alphanumeric', you mean
[A-Za-z0-9], or 62 characters. If they average 3 days to crack an 8-character password, then it should take 6 days to cover all of the 62^8 possible passwords, so they're able to guess 62^8 ÷ (6×24×60×60) = 421180759 passwords per second.A 26-character password at that same rate would take 62^26 ÷ 2 ÷ 421180759 ÷ (60×60×24×365), or 1.5 nonillion years to break, on average.
That said, 421180759 passwords per second is really impressive. I'm guessing your 8-character passwords are not truly random, but rather made up of dictionary words or other semi-predictable components, thus making our guesses-per-second calculation off. They probably can't break the 26-character password in 1.5 nonillion years.
By the way, password strength is often measured in bits of entropy. The 8-character password is log₂(62^8), or 48 bits of entropy, assuming it's truly random. The 26-character password comes in at a whoppping 155 bits of entropy! If you haven't seen it, you also must read the classic xkcd password strength commic.