12 character passwords found to be far superior to 8 characters (opens in new tab)

(edition.cnn.com)

3 pointsarch_hunter15y ago9 comments

9 comments

9 comments · 8 top-level

boomka15y ago· 1 in thread

This is idiocy. There is no system in existence that I know of where you will be allowed to sit and try millions of passwords.

About the only place I can think of is encrypted partitions, when you somehow obtained the physical drive. But that usually has other, additional security mechanisms in place.

After failure number 5 most systems just lock the account. All the requirements on password complexity are sheer idiocy.

drdaeman15y ago

> After failure number 5 most systems just lock the account.

Which gives us a nice method of blocking someone from their account just by intentionally logging in with a wrong password 5 times.

Much better method is to require user to solve CAPTCHA (or, maybe, "hashcash"-type test, to perform some time-consuming computation) after 2nd wrong guess per hour.

> All the requirements on password complexity are sheer idiocy.

Not exactly all. Sane minimal requirements like "you password can't be your name or birth date (or both of them combined)" are perfectly fine. It's very sad how many people use their birth year (yeah, just 4 digits!) as a password. And this is not because they don't care about their accounts (they do), it's just because they just don't get how insecure it is.

Just don't overdo it with real idiocy like "your password must contain at least one digit". Hey, my password generator gave me "CEvbnofFqDKNdRsW", and this IS really secure enough.

teilo15y ago

In other news: A recent study has found that wool parkas found protect one from the cold far better than short sleeve shirts.

Vitaly15y ago

not sure what are all those dismissive comments are about. the news here is that it become exceptionally EASY to brute-force an 8 character password. 8char passwords did provide the security for a while, but it seems they don't anymore. Equipment built from off the shelf components (and not too many of them) can break such passwords today. I'm sure it will soon be used not just by NSA but by almost anyone, including some 'recovery' businesses.

GiraffeNecktie15y ago

Worst researched article ever.

A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list.

PasswordSafe is a software program (created by Bruce Schneir) that stores your passwords on your own computer. It is not a website for storing passwords.

holman15y ago

But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.

I love how they position this as some sort of strenuous discovery and not simple math.

petrilli15y ago

Who knew CNN had Captain Obvious working for them?

mhd15y ago

But as always, you can compensate for lack of length BY BEING LOUD (not for the whole time) and/or being exceptionally (00L.

nostromo15y ago

Just do what I do: use an 8 character random password... twice.

j / k navigate · click thread line to collapse