I blogged last week about Dennis Yurichev's FPGA password cracker here in a blog titled "Update to Dennis Yurichevs FPGA cracker plus exploit code for the CPU CVSS 10.0 bug" and i set off two example cracker sessions for users with passwords; one starting with AA and the other starting with ZZ:
AA 3FC24C0BFAED94B1 test 1 - http://www.petefinnigan.com SOLVED ZZHG76J time spent: 21m31s; average speed: 69M
AB 111E83722DB9BF88 test 2 - http://www.petefinnigan.com SOLVED AAGHB6G time spent: 40s; average speed: 81M
The results above are from Dennis's site. This proves my theory that if you choose a password starting with AA its cracked much faster with Dennis's cracker than one starting with ZZ. This is replicated with software based crackers cycle through possible passwords by walking the character set in the same order as the alphabet.
This is really important to remember when you create password verification and password management rules. One thing you should be doing is designing password complexity and length and also calculating password lifetimes so that if a prolonged attack is made against your passwords with a password cracker they will survive their own lifetime. This means you must consider the "flaws" (perhaps the wrong word but it will suffice for this discussion) in the passwords crackers out there. If you design a password length assuming that a password would fall in perhaps 50% of the time necessary to try all possible passwords with decent average hardware and a software based cracker then you must ensure that passwords cannot start with easier (quicker) to cracker letters or you must increase the length of the passwords. There is a downside to forcing a reduced character set for a password to counteract a password attack with password crackers - it in itself makes the password weaker and someone could modify an existing cracker source code to exploit this against your passwords - so be careful and ensure your rules are not leaked and ensure that you cover all bases.