Share

Related Links

Top 5 Stories

News

12 character passwords essential say experts

23 August 2010

Research carried out by the Georgia Institute of Technology has confirmed what many IT security professionals have suspected for some time – that eight character passwords are no longer enough to keep the serious hackers at bay.

In a weekend news story on the CNN portal, reporter John D Sutter says that the Georgia Institute recommends that internet users should consider that a 12-character password is now the minimum.

If like many people, you find a 12-character password difficult to remember, the Institute also says that you can use a sentence, rather than a word/number sequence as an aide memoir.

Researchers at the Institute have reportedly used clusters of PCs with graphics cards – presumably running software from the likes of Elcomsoft, Infosecurity notes – to crack eight-character passwords in less than two hours.

But when the same methodology was applied to a 12-character passphrase, researchers found it would take more than 17 000 years to crack it.

"We've been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places", said Richard Boyd, a senior research scientist at the Georgia Tech Research Institute.

"Right now we can confidently say that a seven-character password is hopelessly inadequate, and as GPU power continues to go up every year, the threat will increase."

Interestingly, the researchers recommend the use of a 12-character password, rather than 11 or 13, "because that number strikes a balance between convenience and security."

"They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. In that scenario, it takes 180 years to crack an 11-character password, but there's a big jump when you add just one more character - 17,134 years", says CNN.

The researchers also say that, if a site allows you to create a password with non-letter characters, like "@y;}v%W$\5\" - then you should do so.

There are only 26 letters in the English alphabet, but there are 95 letters and symbols on a standard keyboard.

"More characters means more permutations, and it soon becomes more difficult to for a computer to generate the correct password just by guessing", says the online news report.

This article is featured in:
Application Security  •  Compliance and Policy  •  Internet and Network Security

 

Comments

RichardBooth says:

23 August 2010
In all honesty, with such high infection rates of advanced trojan malware, having a 12 character makes you no more secure than a 4 character or even 256 character password.

When speaking about any threat, you have to put things into context, and the word that comes up most often in the context of security is "risk". When we as consumers decide to choose a password, we do an internal mental risk analysis and choose a password that we feel is adequate for the risk posed by the information we are looking to protect.

Granted, the average person may not have all of the neccessary information to make an educated risk analysis but none the less it is this mental process that determines the level of security that we choose for our passwords.

I guess what I am really trying to say is that people will not increase their password complexity (security) unless they perceive a higher level of risk.

Even if passwords were made more complex, trojans will keylog, screen scrape, form grab, you name it to get hold of the credentials if it presents a significant enough return on investment for a fraudster.

Studies like this are interesting, but I feel they mask the true threats that exist.

twitter.com/fightingidfraud

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×