This month's Law Practice magazine brings an interesting feature from Sharon Nelson and John Simek titled Creating Secure Passwords: The Rules Have Changes (Again). They cite some researchers from the Georgia Institute of Technology who put together some fast CPU's with clusters of graphics cards to crack eight-character passwords in less than two hours. So that makes it pretty clear that eight-character passwords need to be "upgraded." The researchers suggest a 12 character password. According to their theory, an 11 digit password might be cracked within 180 years while a 12 digit password would take 17,134 years. What a difference a digit makes!
You might think either combination would be fine as you do not plan to live 180 years anyway, but Moore's law tells us that computing power will continue to increase. They cover some good tips on creating strong passwords and highlight a couple of products that are useful. As we all know, stronger passwords are much harder to remember. In fact, if you want a laugh, go to this Microsoft resource on how to create a password you can remember. They have a nice little table with an example. While their points are valid, the example they end up with at the end of the table is impossible for most of us to remember.
There are several things people do that could compromise their passwords without the need for a high speed CPU with clusters of graphics cards. Ever leave your mobile phone somewhere? Ever forget a password and have to recover it? Now put those two thoughts together. If you leave your phone somewhere and your receive e-mail on your phone, someone at the friend's house where you left it could do a few password recovery routines and get your passwords. Then they could delete the e-mails and you'd never know–at least until you got your bank statement or information about your other valuable online accounts. So an important rule on protecting your passwords is to put a security code on your mobile phone. The same logic applies to always hitting the Windows key and letter L to lock you computer when you leave your office. It is certainly unlikely that someone will sneak into your office. but not impossible. And if they see you going to lunch and they go in and close the door, they have a nice window of opportunity.
There are other issues with security of your e-mail account. Maybe you don't set up to get e-mail on your iPad if you let all of the teenagers play with it when you have it at home. Or maybe you set up an a-mail account just for password recoveries. Standard operating procedure is that IT Departments often force you to change your password every 60 days or so. I understand the logic, but doesn't that make it more likely that employees will write down their passwords and keep the paper somewhere in their desk? Security guru Bruce Schneier acknowledges that most people write them down and says if you do, it is probably better to keep them in your wallet. This makes sense to me as long as long as you do not put the service or account name next to the password. It won't be near your desk where the password could be used to log into the network. And, most importantly, if you lose your wallet and a bad guy finds it, he'll be too busy with your credit cards to worry about cryptic writing on scraps of paper.
Lots of banks and other important online services only require an eight character password. But they often have another line of protection. A few bad logins and you get locked out of the system, for a while at first, but then permanently until you contact the institution. They could be annoying, but not as annoying as your funds all being transferred out of your stock brokerage account.
This is not to say that that I disagree with Sharon, John or the researchers they cited. I think 12 characters is the new standard. Just remember that you and your habits are a weaker link than whether you have 10 or 12 character passwords. For many of us, the habit during the holiday season may be spending the money as soon as it comes into the bank account so no bad guys can touch it. But if you haven't set a security code or PIN on that mobile phone in your pocket or purse, why not do so right now?