Security Corner

May 29 2012   6:31PM GMT

Minimum password length redux



Posted by: Ken Harthun
Tags:
Password best practice

About this time last year, I posted this article about minimum password lengths and ended up recommending 15 characters. I didn’t give it much more thought after that; however, in the light of Steve Gibson’s Password Haystacks and my recent post about PassFault.com, I decided to to take those two tools and compare some passwords of various lengths, both randomly generated and using Steve’s Personal Password Padding. For this test, I chose “unto” as a common word which I used to build variable length passwords from 8 to 16 characters in length that contain upper- and lower-case letters, numbers, and special characters. I also used LastPass to generate random passwords of various lengths. I assumed a massive attack scenario with no password file protection for both tools.

Password Time-to-Crack Analysis
Password Length GRC’s Brute Force Password “Search Space” Calculator PassFault’s Dictionary and Pattern Based Analyzer
KF&x8SPw 8 1.12 minutes less than 1 day
wIhE7SdAl! 10 1 week 3 days
8nK1Uaxh&xC3 12 1.74 centuries 50 centuries
iD0L&DKv39FBK% 14 15.67 thousand centuries 1,652,459 centuries
eS5E2p^SK#Uwg4WK 16 1.41 hundred million centuries 242,335 centuries
<>Unto90 8 1.12 minutes less than 1 day
<>Un90to<> 10 1 week less than 1 day
<>Un<>90to<> 12 1.74 centuries 4 decades, 3 years
<>Un<>90to<>90 14 15.67 thousand centuries less than 1 day
<>Un<>90to<>90<> 16 1.41 hundred million centuries 3 months

Obviously, PassFault’s algorithm is flawed, as can be seen in the results above. This is evident from the last three lines of the table.

I’m going to stick with 12 characters as an average minimum password length and 15 characters for critical data.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: