John D. Sutter, CNN (August 20, 2010)
"Say goodbye to those wimpy, eight-letter passwords.
"The 12-character era of online security is upon us, according to a report published this week by the Georgia Institute of Technology.
"The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.
"But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.
" 'The length of your password in some cases can dictate the vulnerability,' said Joshua Davis, a research scientist at the Georgia Tech Research Institute.
"It's hard to say what will happen in the future, but for now, 12-character passwords should be the standard, said Richard Boyd, a senior research scientist who also worked on the project...."
According to the CNN article, the researchers chose the number 12 for their recommended password length because they think it's a good balance between convenience and security.
Eventually, we may get really long passwords.
"...Here's one suggested password-sentence from Carnegie Mellon University:
" 'No, the capital of Wisconsin isn't Cheeseopolis!'..."
That'll have to wait until the security systems websites use will handle characters other than letters of the alphabet and numbers: like commas, apostrophes, and blank spaces.
The Lemming must be using some of the better-run websites: I was surprised to learn that a fair number of places online won't accommodate long passwords.
The Lemming Applauds Himself: But You Might Find It UsefulMe? I've been using 'long' passwords, a dozen or so characters long, for years. They're not all that hard to remember, since I use a pattern. I have three parts for each password. One's a word that isn't in most dictionaries, the other involves a number that's easy for me to remember, and the third is very mnemonic - generally having something to do with the website or service I'm logging into.
If all I relied on was the mnemonic part, I could be hacked fairly easily. All three together? I'm not sure how long it'd take for a program to run through enough combinations to 'guess' the right one. I'm not worried, though: the places I go generally limit the number of times I'm allowed to make a mistake before having to wait and visit the place later.
The CNN article does a pretty good job of discussing password security: including how to deal with the issue of remembering your passwords.
One of the solutions seems to be a disaster waiting to happen, as the author concedes:
"...A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list...."
There are other solutions: including physical gadgets you can carry around with you.
The Lemming's opinion is that the best approach to password security is to work out a system that
- You can remember at 2:00 a.m.
- Different password for every site
- Long passwords
- Passwords with letters and numbers
- Doesn't involve your birthday, or other fact that others know about you
- Isn't on a sticky note stuck to your monitor
- "Twitter's Password Plight(s)"
(June 26, 2010)
- ""iTunes account hacked" - Widespread and Under-Reported?"
(April 29, 2010)
- "San Francisco Computer Hijacker Convicted"
(April 28, 2010)
- "If Your Password is "Password1" - CHANGE IT"
(November 24, 2009)
- "Passwords: Be Sure Yours Isn't on These Lists"
(April 20, 2008)