Ask Leo: How long should a password be?

askleo

By Leo Notenboom

For a long time, the common thinking was that the best, most practical passwords
consisted of a random combination of upper and lower-case letters, numbers, and a
special character or two; if so composed, a password needed to be only eight characters in
length.

Randomness remains important, but as it turns out, size matters more.

A password today should have a minimum of ten characters, and ideally, twelve.

Large scale account hacks

When you hear about large numbers of accounts being stolen by a hack at
some service provider, you are naturally concerned that the hacker might now
have access to your account names and passwords. If the service was storing your actual passwords, that could indeed be the case.
(As I’ve said before, if a service is storing your actual passwords,
then they simply don’t understand security or they have made some horrifically bad
decisions.)

In fact, most services will store an encrypted (technically, a “hashed”) form
of your password. For example, if my password were “password” (and that’s a very poor
password, of course), then a service might store
“5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8” which is the
hash value that corresponds to that password. 1

“Even the best eight-character passwords should no longer be
considered secure.”

What that means is that hackers do not get a list of user names and
passwords. What they get is a list of usernames and password hashes.

And what’s great about hashes is that you can calculate a hash from a
password, but you cannot do the reverse – you cannot calculate the password
from the hash.

As a result, one would think that by being hashed it’d be pretty unhackable,
right?

Sadly, not so much.

Dictionary attacks

The most common type of password attack is simply a high-speed guessing
game.

These attacks involve starting with an exhaustive list of possible words
(including names, profanities, acronyms, and more) and perhaps a few rules to
try interesting and common ways that people try to obfuscate words. They
calculate the hash of each guess and if it matches what was found in the
compromised database of account information that they’re working against,
they’ve figured out the password for that account.

As we’ll see in a moment, it’s easy for hackers to make an amazing number of
guesses is a short amount of time.

That’s why you’re not using that kind of password, right?

That’s why a password created from a totally random combination of characters is best; it forces hackers to move on to a true brute force attack to gain access.

Article continued here

This post is excerpted with Leo’s permission from his blog.

FaceBook URL: Leo’s Facebook

Twitter URL: http://twitter.com/askleo

292 total views, 1 views today

(Visited 172 times, 1 visits today)

One thought on “Ask Leo: How long should a password be?

  1. Here’s a method that I use to create a password that may be unique. It works best for touch typists. Place both hands on the keyboard as you normally would. Without typing move your hands up one row higher and one space to the right. Now, without looking at the keyboard type “Leo.” Here’s what you get — “p40” Just an example of an unforgetable password unless one is prone to forget their name. Here’s an example of, “wolfgang” — “30ptywjy”
    Of course, one row up and one space right can be different combinations also.
    One day I was typing along with my hands in the wrong position is what gave me this idea.

    Enjoy your articles.

    Wolfgang Smutz

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.