Several websites state that having a password length of 8 is good enough, but that number was based off of current CPU technology at the time and the time required to to use those CPUs to break them. Graphic cards have been taking over the password cracking scene for a several years now, as password computations (for certain algorithms) are well suited for GPUs over CPUs which can result in several billion password computation/cracks per second!

So why did I recommend a minimum password length of 12 if permitted? Based upon the above information aren’t we screwed? I think it is good enough for now as it is much better than a length of 8 where an attacker can brute force that key space in a couple hours to days depending on the GPU and algorithm used for the password. And a required step to the above scenario is that they have your encrypted password, which would likely come from them hacking into a website and they downloaded all the customer data.

What are your thoughts on password lengths? Is it something you worry about? Do you have a better strategy?

For additional reading on password cracking, Dan Goodin from Ars Technica has a couple good articles on the subject: