The death of 8-character passwords

In 2001, this was funny: http://ars.userfriendly.org/cartoons/?id=20011015

Today the password in that comic, &//]-A;;, can be cracked in hours with a $120 graphics card.

I’ve actually been living with nightmarish 15-character, mixed-case passwords with numbers and symbols mixed in for several years. And I have to change them every 60 days. The only way to deal with them is with a formula. I came up with a formula years ago, and when I have to change, I jot down a hint that only I’ll understand in order to jog my memory (or allow me to reconstruct it for the first week).

I won’t tell you my formula. But basically you need to find yourself a pile of data that includes letters and numbers that you can look up easily. If there’s anything you collect, a price guide should work. In a pinch, even a phone list would do. This password isn’t terrible:

John_Doe555-6565

Anything that gives you some letters and numbers that you can sprinkle a couple of non-alphanumeric symbols into helps. Then you need to decide on your formula, jot down your hint every time you have to change that password–and it’s better to keep it in your wallet than in your desk drawer–and then you have some hope of staying secure.

A 9-character password mixed password can be cracked in 48 days by a $120 graphics card.  Unfortunately that’s a worst-case scenario. So that really means 9-character passwords are insufficient, especially since most organizations keep passwords for 60 or 90 days. Or more. Because if a bad guy really wants your CEO’s password, they’re going to throw a lot more than a $120 graphics card at it. Companies like Microway make high-end cards loaded with GPUs for intense computation. They cost thousands of dollars, but to someone bent on industrial espionage, thousands of dollars is just a speed bump.

The long-term solution is to use two-factor authentication, using a smart card or some kind of biometrics and a PIN. These have problems too–a keylogger can capture PINs, and smart card tokens can be hijacked and fingerprints can be faked–but it’s more difficult than just brute-forcing a password.

But web sites won’t be using that for a long time, if ever, and some organizations can’t afford to roll out two-factor authentication. In those cases, ever-longer passwords are the fastest and cheapest solution, as unpopular as they may be.

And if you’re wondering whether you should use long, mixed-up passwords on things like your eBay account, Paypal, your bank, and your Hotmail/Gmail/Yahoo account, the answer is yes. And don’t use the same password on all of them. If you can’t stand the idea of remembering 14 different passwords, you could use one password and tack something onto the end: ebay, the letter “e,” or something similar. If someone manages to get one password, they may figure out your formula anyway, but if your password is 16 characters long, that’ll deter the people breaking random people’s passwords by brute force. They’ll stick with the people still using 8-character passwords.

One thought on “The death of 8-character passwords

  • June 7, 2011 at 2:06 pm
    Permalink

    My current pet peeve is websites and applications that limit the length of my password. For years I’ve been using randomly generated passwords from KeyPass, but I’ve recently started using sentence-based passwords (“This6is6a6Password.”). unfortunately, several of the websites I’ve tried similar passwords on have a set limit. Argh!

    In the recent Sony and Fox database hacks, I saw that all the passwords of 8 characters or not were cracked almost instantly and posted online.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux