How secure are passwords with under 20 characters length?
Solution 1
This is an interesting article (see PDF print if web archive unavailable). It details how long it would theoretically take to brute force a password for different lengths and symbol sets.
Solution 2
You might want to point whoever wrote that policy at this blog post from Bruce Schneier.
It's a good writeup of why the strength of passwords are the least of anyone's problems on the web.
Solution 3
Look at the accepted answer in this post. Shows that even an 8 character password using the full range of characters can take ~10,000 years to crack!
Solution 4
If you count the use of rainbow tables as brute force (opinions vary) then for 8 characters, using rainbow tables that include all the characters in the password, about 10 seconds. 20 character password (same characters, same rainbow tables), less than 30 seconds. The catch is that it takes a long time to generate the tables. Mine took about a month to generate on a 3GHz machine processing only at night. On the other hand, you only need to do that once.
The issue of trying to remember long passwords is easily solved by a combination of character substitution and using a phrase. Even something as simple a "#Fr3ddy M3rcury#" is complex enough for most uses, yet is remarkably easy to remember.
Solution 5
Consider that an eight-character password may be remembered. A 20-character password will be written down.
And then someone can read it.
Related videos on Youtube
![Sarbanjeet](https://i.stack.imgur.com/6EIow.jpg?s=256&g=1)
Sarbanjeet
Updated on September 17, 2022Comments
-
Sarbanjeet almost 2 years
I recently received a recommandation for setting my password to above 20 characters. The algorithm used for encryption is AES with a 256 bit primary key. How secure is a, let's say, 8 char password against brute force attacks for deciphering encrypted files?
I know that this is considered a good password size on most websites. One reason of this is that they can stop an attack after 3 attemps or so.
-
Mark Davidson almost 15 years+1 Because Bruce Schneier is the king of security his word is law.
-
Sarbanjeet almost 15 yearsOk, this is a very interesting link. It gives a good ideea of what type of force you need for what time frame. So, given enough resources, it's also possible to break an 8 character password, especially if it's not a good one.
-
Cian almost 15 yearsIt's still going to take 83.5 days at 100,000 passwords/second. That's not really possible for most attacks. Especially if you're talking about a server password, rather than a pgp passphrase. If they don't have the hash, 8 (random) chars is essentially unbreakable.
-
Sarbanjeet almost 15 yearsI wasn't talking about server passwords because I know there you can use much simpler passwords because servers offer extra protection against attacks. I was meaning in other cases, e.g. file encryption.
-
Sarbanjeet almost 15 yearsYou're right. And there can also be many other factors that will influence the type of security for encrypted files.
-
chris almost 15 yearsMD5 passwords use a pretty big salt. I don't think your rainbow tables are going to be big enough to have both all 8 character passwords and all salts for each possible password.
-
chris almost 15 yearsA very long password may not necessarily be written down if it is a set of 5 normal english/your language words. Brains are good at remembering them and there are a lot of them out there.
-
John Saunders almost 15 yearsSpeak for your own brain. Mine shuts right down at the thought of remembering 20 characters.
-
Sarbanjeet almost 15 yearsI suppose that your referring to a class A attack (10,000 Passwords/sec). If I look at this table and think about a large institution than it just might be doable for 86 Characters, 8 char password, class E or F attack: from 34 to 346 Days. This is not 10000 years ;)
-
Marko Carter almost 15 yearsTo be honest I didn't check the maths in the post!
-
John Gardeniers almost 15 yearsWould you risk your security on that? My tables are a total of 25GB. That's 40 tables at 650MB each. One day I'll generate a large set. :)
-
chris almost 15 yearsUm, aren't there 2^32 salts for an MD5 password? That's 2^32*650mb. Good luck with that.
-
chris almost 15 yearsIf your password were "bowels dungeon metaphysical pierce stagnates" you'd probably be able to remember it after using it a couple times.
-
John Saunders almost 15 yearsNope. No relationship between the words. No story to tell myself that I'd remember to tell myself the next time I need the password. I use a password generator program to generate random passwords (I use at least eight characters at all times). I keep generating until I see a password that I can make into a word I can remember, like "cinnademo" = "cinnamon" + "demonstration". That, I can handle.
-
Mark Davidson almost 15 yearsI did the rainbows tables for all ASCII character LM hashes 64Gb took almost a week using 20 nodes my universities cluster. Take about 3 minutes to go through quite mental. Allows for cracking of all windows passwords <= 16 characters.
-
chris almost 15 yearsAccording to wikipedia, the LM hashes don't have a salt. MD5 passwords do have a salt, which means that any single password may have (saltspace*password) hashes, which means you need to have 1 rainbow table per salt.
-
chris almost 15 yearsI have direct experience to the contrary. One app I wrote used 4 word passphrases; it was in use for about a year and a half. 9 years after it had been decomissioned, I talked to several different people who used it and all of them remembered their passphrases. Mine was bilingual extradite propaganda renumber
-
John Saunders almost 15 years@chris: again, please be careful about generalizing. The thing about different people is, they're different. I'm glad it worked for you - I don't think it would work for me.
-
Howard Lince III over 5 yearsIt'd be good to update this answer. The link is no longer useful, offering a "Closed permanently". For anyone who wants to see the content, wayback machine has your back: web.archive.org/web/20180412051235/http://www.lockdown.co.uk/…
-
Student over 4 yearsConclusion I see: mix little and capital alphabets and numbers. Length > 15 is good.