

12 character passwords found to be far superior to 8 characters - arch_hunter
http://edition.cnn.com/2010/TECH/innovation/08/20/super.passwords/index.html

======
teilo
In other news: A recent study has found that wool parkas found protect one
from the cold far better than short sleeve shirts.

------
Vitaly
not sure what are all those dismissive comments are about. the news here is
that it become exceptionally EASY to brute-force an 8 character password.
8char passwords did provide the security for a while, but it seems they don't
anymore. Equipment built from off the shelf components (and not too many of
them) can break such passwords today. I'm sure it will soon be used not just
by NSA but by almost anyone, including some 'recovery' businesses.

------
boomka
This is idiocy. There is no system in existence that I know of where you will
be allowed to sit and try millions of passwords.

About the only place I can think of is encrypted partitions, when you somehow
obtained the physical drive. But that usually has other, additional security
mechanisms in place.

After failure number 5 most systems just lock the account. All the
requirements on password complexity are sheer idiocy.

~~~
drdaeman
> After failure number 5 most systems just lock the account.

Which gives us a nice method of blocking someone from their account just by
intentionally logging in with a wrong password 5 times.

Much better method is to require user to solve CAPTCHA (or, maybe,
"hashcash"-type test, to perform some time-consuming computation) after 2nd
wrong guess per hour.

> All the requirements on password complexity are sheer idiocy.

Not exactly all. Sane minimal requirements like "you password can't be your
name or birth date (or both of them combined)" are perfectly fine. It's very
sad how many people use their birth year (yeah, just 4 digits!) as a password.
And this is not because they don't care about their accounts (they do), it's
just because they just don't get how insecure it is.

Just don't overdo it with real idiocy like "your password must contain at
least one digit". Hey, my password generator gave me "CEvbnofFqDKNdRsW", and
this IS really secure enough.

------
GiraffeNecktie
Worst researched article ever.

 _A website called Password Safe will store a list of passwords for you, but
Boyd and Davis said it may still be possible for a hacker to obtain that
list._

PasswordSafe is a software program (created by Bruce Schneir) that stores your
passwords on your own computer. It is not a website for storing passwords.

------
holman
_But when the researchers applied that same processing power to 12-character
passwords, they found it would take 17,134 years to make them snap._

I love how they position this as some sort of strenuous discovery and not
simple math.

------
petrilli
Who knew CNN had Captain Obvious working for them?

------
mhd
But as always, you can compensate for lack of length BY BEING LOUD (not for
the whole time) and/or being exceptionally (00L.

------
nostromo
Just do what I do: use an 8 character random password... twice.

