Your Password Should Be At Least 12 Random Characters Long

According to a study at Georgia Tech Research Institute, your password should be at least 12 random characters long (and include letters, numbers and symbols) if you want to consider yourself safe from brute force password hacks.

From MSNBC: "'Eight-character passwords are inadequate now ... If eight characters is all you use, and if you restrict your characters to only alphabetic letters, it can be cracked in minutes,' said Richard Boyd, a senior researcher at GTRI."

We've highlighted how easily common passwords can be hacked, but even if you've got a system auto-generating your passwords, you may want to make sure you're going for at least 12. [MSNBC via @wjrothman]


Comments

    It's soon going to get to a point where passwords are no longer safe. If the requirement for a secure password is no 12 random characters, what chance does a normal person have of remembering that (not to mention the fact that you'd want a different 12 character string for each password you have)? In a few years time when computing power has increased further we'll have to move to 20 character passwords. It can't continue like this.

      Cameron - use Lastpass and you will never have an issue again

    And Westpac wont let you have more than six characters for their internet banking.

      And Commonwealth bank can't tell the different between upper case and lower case lettering.

      Why are some of our more important passwords(Net banking) forced to be less secure?

        things are a little bit different here. On the report, the hacker has the full control of the encrypted file, for example, a zip file with password. He can use the full power of computer to try the password.
        However, banks should have a internal security check to block any further password guessing after, say 5 unsuccessfully attempts.

      Westpac's 6 character passwords have always baffled me.

        There is probably some obscure antique system deep inside the Westpac network that can't handle passwords longer than 6 chars, so they keep everything to that. The Uni I work at won't let you have passwords longer than 12, for similar reasons.

    Thanks to the excellent LastPass ecosystem, my passwords are different for every site/login and all look like this.

    [email protected]%[email protected]$T$VycSNREvXWauN

    The only time they are "less" secure than this is when sites impose limits on password length and complexity. Even eBay and PayPal, and esp banks, seem to have very small maximum password allowances. Certainly less than 15chars, with no specials allowed. Time to upgrade the industry's thinking as a whole on this matter IMO.

    I'm going through right now using 1Password to set all of my 'secure' passwords to randomly generated ones. Things like my bank/PayPal etc. Making them as secure as I can in the confines of the website's password requirements.

Join the discussion!