Originally Posted By: speedemon
While I don't really use it at the moment my degree was in CompSci, and I still stay up to date with things. Even with the advance in computers, you can't check that many passwords a second, and most all systems have limits. There are at least 96 different characters you can type (lowercase, caps, numbers, symbols, and punctuation). So at 6 characters long, you're at 782,757,789,696 combinations. Even trying to brute-force at 1,000,000 passwords a second (completely infeasible on pretty much every system out there), your looking at days of time to crack it. Government agencies might be able to, depending on the system. If you're talking about data encryption, with reasonable key-length this is more than enough for a password (the math involved to check keys, or even to compute a key from a given password takes time).
If you're really paranoid, bump it up to 8 characters long (your up to hundreds of years at 1,000,000 a second). Just make sure its random. I know its hard to memorize, but just take some extra time. (I would also tend to disagree with his conclusion to use combinations of words).


I am a network security consultant. I don't crack passwords except in the course of a security assessment, which always includes written authorization from the customer.

My desktop PC has a quad-core 2.8 GHz processor. I can typically crack 95% or more of a 500-user Active Directory domain's passwords in one day or less. Frequently the first 80% or more are cracked in the first few minutes.

Password complexity has a significant impact on the time it takes and the success rate.