Does Size Matter? Picking a Sane Password Policy

"In the first piece in this series we looked at the desirability of choosing passwords made up of random characters chosen from as large a pool as possible--preferably including upper and lower case letters, numbers and special characters such as punctuation marks and symbols.

"The SANS Institute recommends passwords should be at least 15 characters long, which effectively means that these password can't be carried around in end users' heads. Let's take a look at how secure a password this long would be.

"If we take a scenario in which user passwords are made up of upper and lower case letters and numbers, each password character can be one of 62 possible characters. A fifteen character password thus has 62^15, or more than 750 million, million, million, million possibilities. That's a lot. If you got a pool of a million computers working on the problem, it would take about 2 million million years to check them all."

Complete Story

Related Stories:

• Linux Security Basics, Part 1: Authentication (DistroWatch Weekly #321)(Sep 21, 2009)
• Webopedia Cool Term of the Day: Twishing(Sep 10, 2009)
• Supporting And Advocating Insecure Practices(Aug 31, 2009)
• How To Configure SquirrelMail To Allow Users To Change Their Email Passwords On(Aug 30, 2009)
• Managing User Names And Passwords (Aug 30, 2009)
• Editor's Note: FOSS Smart Cards and Free Hardware(Aug 29, 2009)
• Attack on WPA refined(Aug 28, 2009)
• First WEP, Now WPA Encryption Falls(Aug 28, 2009)