The 12-character era of online security is upon us, according to a report published by Georgia Tech.
The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.
But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.
“The length of your password in some cases can dictate the vulnerability,” said Joshua Davis, a research scientist at the Georgia Tech research Institute.
It’s hard to say what will happen in the future, but for now, 12-character passwords should be the standard, said Richard Boyd, a senior research scientist who also worked on the project.
The researchers recommend 12-character passwords — as opposed to those with 11 or, say, 13 characters — because that number strikes a balance between “convenience and security.”
They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. In that scenario, it takes 180 years to crack an 11-character password, but there’s a big jump when you add just one more character — 17,134 years.
Passwords have gotten longer over time, and security experts are already recommending that people use full sentences as passwords.
Here’s one suggested password-sentence from Carnegie Mellon University:
“No, the capital of Wisconsin isn’t Cheeseopolis!”
Or maybe something that’s easier to remember, like this:
“I have two kids: Jack and Jill.”
Even though advances in cheap computing power are making long, complicated passwords a necessity, not all websites will accommodate them, Boyd said.
It’s best to use the longest and most complex password a site will allow, he said. For example, if a website will let you create a password with non-letter characters — like “@y;}v%W$5” — then you should do so.
There are only 26 letters in the English alphabet, but there are 95 letters and symbols on a standard keyboard. More characters means more permutations, and it soon becomes more difficult to for a computer to generate the correct password just by guessing.
Some websites allow for super-long passwords. The longest one Boyd has seen is at Fidelity.com, a financial site that lets users create 32 character passwords.