In a weekend news story on the CNN portal, reporter John D Sutter says that the Georgia Institute recommends that internet users should consider that a 12-character password is now the minimum.
If like many people, you find a 12-character password difficult to remember, the Institute also says that you can use a sentence, rather than a word/number sequence as an aide memoir.
Researchers at the Institute have reportedly used clusters of PCs with graphics cards – presumably running software from the likes of Elcomsoft, Infosecurity notes – to crack eight-character passwords in less than two hours.
But when the same methodology was applied to a 12-character passphrase, researchers found it would take more than 17 000 years to crack it.
"We've been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places", said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute.
"Right now we can confidently say that a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will increase."
Interestingly, the researchers recommend the use of a 12-character password, rather than 11 or 13, "because that number strikes a balance between convenience and security."
"They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. In that scenario, it takes 180 years to crack an 11-character password, but there's a big jump when you add just one more character - 17,134 years", says CNN.
The researchers also say that, if a site allows you to create a password with non-letter characters, like "@y;}v%W$\5\" - then you should do so.
There are only 26 letters in the English alphabet, but there are 95 letters and symbols on a standard keyboard.
"More characters means more permutations, and it soon becomes more difficult to for a computer to generate the correct password just by guessing", says the online news report.
23 August 2010
In all honesty, with such high infection rates of advanced trojan malware, having a 12 character makes you no more secure than a 4 character or even 256 character password.
When speaking about any threat, you have to put things into context, and the word that comes up most often in the context of security is "risk". When we as consumers decide to choose a password, we do an internal mental risk analysis and choose a password that we feel is adequate for the risk posed by the information we are looking to protect.
Granted, the average person may not have all of the neccessary information to make an educated risk analysis but none the less it is this mental process that determines the level of security that we choose for our passwords.
I guess what I am really trying to say is that people will not increase their password complexity (security) unless they perceive a higher level of risk.
Even if passwords were made more complex, trojans will keylog, screen scrape, form grab, you name it to get hold of the credentials if it presents a significant enough return on investment for a fraudster.
Studies like this are interesting, but I feel they mask the true threats that exist.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.