About this time last year, I posted this article about minimum password lengths and ended up recommending 15 characters. I didn’t give it much more thought after that; however, in the light of Steve Gibson’s Password Haystacks and my recent post about PassFault.com, I decided to to take those two tools and compare some passwords of various lengths, both randomly generated and using Steve’s Personal Password Padding. For this test, I chose “unto” as a common word which I used to build variable length passwords from 8 to 16 characters in length that contain upper- and lower-case letters, numbers, and special characters. I also used LastPass to generate random passwords of various lengths. I assumed a massive attack scenario with no password file protection for both tools.
|Password Time-to-Crack Analysis|
|Password||Length||GRC’s Brute Force Password “Search Space” Calculator||PassFault’s Dictionary and Pattern Based Analyzer|
|KF&x8SPw||8||1.12 minutes||less than 1 day|
|wIhE7SdAl!||10||1 week||3 days|
|8nK1Uaxh&xC3||12||1.74 centuries||50 centuries|
|iD0L&DKv39FBK%||14||15.67 thousand centuries||1,652,459 centuries|
|eS5E2p^SK#Uwg4WK||16||1.41 hundred million centuries||242,335 centuries|
|<>Unto90||8||1.12 minutes||less than 1 day|
|<>Un90to<>||10||1 week||less than 1 day|
|<>Un<>90to<>||12||1.74 centuries||4 decades, 3 years|
|<>Un<>90to<>90||14||15.67 thousand centuries||less than 1 day|
|<>Un<>90to<>90<>||16||1.41 hundred million centuries||3 months|
Obviously, PassFault’s algorithm is flawed, as can be seen in the results above. This is evident from the last three lines of the table.
I’m going to stick with 12 characters as an average minimum password length and 15 characters for critical data.