How long your password needs to be to really thwart hackers

[JMH]

Time and again we've seen that the username-password model of security isn't very secure. In its latest expose, Ars Technica showed how 90 percent of passwords are quickly made mincemeat. But until we have electronic tattoos and password pills, we're stuck with the same-old password problem. How do you make your password more secure?

The easiest answer is to just make it longer. While 6-character passwords containing mixed characters and numbers might once have been considered secure, crackers these days can guess them in minutes using brute force, thanks to improved technology. According to the Ars article:

Gosney's first stage cracked 10,233 hashes, or 62 percent of the leaked list, in just 16 minutes. It started with a brute-force crack for all passwords containing one to six characters, meaning his computer tried every possible combination starting with "a" and ending with "//////." Because guesses have a maximum length of six and are comprised of 95 characters—that's 26 lower-case letters, 26 upper-case letters, 10 digits, and 33 symbols—there are a manageable number of total guesses. This is calculated by adding the sum of 956 + 955 + 954 + 953 + 952 + 95. It took him just two minutes and 32 seconds to complete the round, and it yielded the first 1,316 plains of the exercise.
​

How long your password needs to be to really thwart hackers | ITworld

 

[AceInfinity]

Length has not much to do with it. If you count on length, 7 characters or more is good. Otherwise all numbers or all A-Z is still bad, numbers and letters is better, and including symbols expands the combinations by much more possibilities, if someone wanted to brute force your password. If you think your 5 character password is going to do anything against a dictionary attack even if you have a password like "john57" though, you should re-think your assumption. Against a full rainbow table though, you'd better have a complex password. This is considered to have a number of properties, and you can look that up.

 

[cluberti]

The best way is to use hardware as part of the hash (like smart cards or RSA keys) to keep them more secure. However, with attacks in the vein of pass the hash, for instance, if an attacker can get on the network and sniff for awhile he or she doesn't even really need your password anymore. Focusing on secure passwords is, in my opinion, no longer a wise thing to really focus on as intently as one may have 10 years ago. Secure endpoint traffic with IPsec and implement hardware tokens and your network will be far more secure than simply implementing 11 or more char passwords, in all honesty. Hacking has moved past the password, and I think it's time net admins started realizing this and doing more to protect the network itself, where most environments are still sorely lacking. We call those candy-bar networks - crunchy and hard on the outside, but chewy and easy to get through once you're inside. I'm not saying using simple passwords is OK, but I find a lot of security folks who just make password complexity difficult and buy products to scan and encrypt endpoints, when the real vulnerabilities lie between them. Also, tokens or smart cards implement multiple layers of good security - what you have (token/card) and what you know, and without both the password or token granting access itself is much more difficult to gain. That doesn't mitigate things like hash attacks though, which is why candy-bar networks are still the problem, and stronger passwords do nothing to mitigate more advanced attacks.

 

[x BlueRobot]

Most hackers won't be bothered about your password these days, they most probably have much easier methods of hacking into systems.

 

[AceInfinity]

Most commonly online, the only thing needed is the admin password, which is usually stored as an MD5 or some other hash in a database (SQL). Using SQL injection, the hash can be retrieved, then once cracked by some bruteforcing techniques that really have no limitations because there is no server disallowing the number of tries you have to crack it, the only thing left is to apply it to retrieve the rest of the database, which may include all of the other hashed passwords for other users. If the database stores your emails, once these values are cracked, lots of people if they want to target a specific user will use that same password to test on your email (because most people use the same passwords for numerous things), and once they have your email then you are done... Password resets to everything, no more "hacking" involved at this point and anybody can go from there.

So passwords to play a role commonly still, but there are many other ways even still... Of course, I think the security behind a password really depends on where the password is being used. Online? Windows user account login? etc...

I deal with a lot of people that confront me about security, and my main rule for them is to just not use the same password for anything else. I don't care what password you use, just don't use it other places. Try to use different passwords as much as possible. If someone wants to hack you they probably will regardless of what you do to protect yourself if they want to get you bad enough, so don't make it easier for them by using the password for everything you need a password for.

Email is the most sacred thing, and more people should realize this. You get emails sent to you for everything, and this is information. In the world of hackers, information is priceless. Lots of people try to tell me "Well why would they want my email? What can they do, read about how <insert person here> wanted to plan a birthday party for <insert another random person here> on <insert date here>?"

Ever seen that "forgotten password reset" link on about 90% of the places you need to input a password? Where do you think the validation gets sent? :thumbsup2: PROTECT your email accounts, and don't have that same password that you use for any of your email accounts for anything at all, other than those email accounts themselves.