Eight? Nine? Fifteen characters? How long is long enough when it comes to making a strong password?
According to Richard Boyd of the Georgia Tech Research Institute (GTRI), 8-character passwords "are inadequate." He recommends using at least 12 characters and advises against using words, birthdays, and other patterns.
Password cracking tools have become more sophisticated over the years and can leverage the increasing computing power provided by today's faster processors.How can you protect yourself? Make a longer and stronger password. Here are some tips to help you create a strong password that should be difficult to crack:
- Make your password at least 12 to 15 characters in length
- Use at least 2 upper-case and 2 lower-case letters
- Use at least 2 numbers
- Use at least 2 special characters, but avoid the common ones: !@#$
- Avoid using keyboard patterns
- Avoid using initials or birthdays
- Avoid using whole words
- Be as random as possible
Way back when mainframes were the dominant computing platform, we had authentication modules that were smart enough not to service scores (let alone thousands) of failed password attempts without taking some kind of defensive action. Just adding 1 additional second delay for each failed attempt would quickly render dictionary attacks obsolete given even a medium strength password. Programs that can crack a password in minutes or hours would take months or years.
The gradually increasing delay would barely be noticeable to a human legitimately making 10 to 20 attempts before succeeding or giving up. After success or x number of hours, the delay is removed. Why doesn’t every authentication module include this kind of defensive algorithm?
Whats just as bad, is some systems only allow eight characters, max, not special characters and is case insensitive.
Bank atm and credit card pins are bad for this, using only numbers. But I don’t know what the routines are for online access. I would hope that after a number of failed attempts it would force a delay of ten minutes.