Security Corner

May 22 2011   4:56PM GMT

How Long Should a Strong Password Be These Days?

Ken Harthun Ken Harthun Profile: Ken Harthun


It used to be – and I used to recommend – that a good, strong password was a combination of upper/lower case letters, numbers and special symbols at least 8 characters long. But as technology advances, CPU speeds and processing power also increase, making brute-force password cracking programs able to guess longer passwords in less time. In these days of multi-core processors running at speeds approaching 4GHz, making distributed computing projects such as‘s Project Bovine RC5-64 reportedly capable of guessing 76.1 Billion passwords per second 8 characters just isn’t enough. Think about it, an 8 character password using a 96-character field has 7.2 quadrillion possible combinations; RC5-64 could guess it in less than 100 seconds.

When Georgia Tech Research Institute developed a method of using general purpose GPUs, to crack passwords last year (2010), I took their advice and began recommending 12 characters as the minimum length for passwords. With all of the recent database breaches in the news, I’m now considering upping the ante and recommending 15 characters as a minimum length for passwords. The problem with this is the extreme difficulty in remembering a password like %qz!BUrznT8Vs&T. Such long, random passwords have to be recorded somewhere, so some method of encrypting your password list or a secure password manager such as LastPass becomes essential.

The SANS Institute’s Security Awareness project recently published some good advice on creating and protecting passwords in this newsletter (PDF). I agree with their advice and highly recommend you take a look at the newsletter.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: