It used to be – and I used to recommend – that a good, strong password was a combination of upper/lower case letters, numbers and special symbols at least 8 characters long. But as technology advances, CPU speeds and processing power also increase, making brute-force password cracking programs able to guess longer passwords in less time. In these days of multi-core processors running at speeds approaching 4GHz, making distributed computing projects such as Distributed.net‘s Project Bovine RC5-64 reportedly capable of guessing 76.1 Billion passwords per second 8 characters just isn’t enough. Think about it, an 8 character password using a 96-character field has 7.2 quadrillion possible combinations; RC5-64 could guess it in less than 100 seconds.
When Georgia Tech Research Institute developed a method of using general purpose GPUs, to crack passwords last year (2010), I took their advice and began recommending 12 characters as the minimum length for passwords. With all of the recent database breaches in the news, I’m now considering upping the ante and recommending 15 characters as a minimum length for passwords. The problem with this is the extreme difficulty in remembering a password like %qz!BUrznT8Vs&T. Such long, random passwords have to be recorded somewhere, so some method of encrypting your password list or a secure password manager such as LastPass becomes essential.
The SANS Institute’s Security Awareness project recently published some good advice on creating and protecting passwords in this newsletter (PDF). I agree with their advice and highly recommend you take a look at the newsletter.