How long should passwords be?

[Shotgun]

i use 12 characters, in which the words are in the dictionary. and no hackingas of yet. 

You've just been lucky. I work in a university, and I can't indulge myself into that luxury.

There's always some "smartie" who tries everything to get at the admin password or restricted areas. You name it: software keyloggers, HW keyloggers, cellphone cameras (taking video while someone is writing their pw or entering an access code in a keypad), the ol' looking over the shoulder trick, etc. Of course, most of those hackers-wannabe's are either suspended from the university, or dropped off after applying disciplinary action.

I use a biometric HW key for really critical things, and if I ever need to write a password @ a public use computer at the university, I change the pw immediately a few seconds afterwards. I've had my share on too many hacking attempts.

[sonu27]

I would say 8.

[choppa]

I use a biometric HW key for really critical things...

I assume that you're reffering to biometric scanners which are hardwired (locked) and can't be manipulated (plugged in/unplugged). Because if they are movable, it only takes 5 seconds for someone with a hardware passthrough logger to record the communication details, and a bit of time to decode the encoding mechanism.

I should know, as it has happened around a place I frequent. Resulted in massive security overhaul.. biometric ID, RFID tags, and live guards at all key entrances.

[Glowy]

Depends what's the use for it.. my regular pwd is 6 but the pwd on my firewall is 16 characters... random characters.. took me a while to memorize too

[TiXer]

13 off course! My lucky number!

[army20]

I have 6 characters for windows and 49 for PGP

[Nilfred]

Underlie hash strength bit length / 8 + 1

That is for 64 bit hash = 64 / 8 + 1 = 9 characters

No matter how long your password is there are only 2^64 posible hashes.

2^64 =

18446744073709551616

9 Alpha and numbers mixing case and repeating 9 of them are:

58 VR 9 = 58 ^ 9 =

7427658739644928

9 Full ASCII = 255 ^ 9 =

4558916353692287109375

[SiMoNsAyS]

9/10 characters long. you must use at least 2 ascii chars (and/or 2 capitals), 2 symbols and 2 numbers.

a password generator will take thousands of years to find it.

[phoenix_nf]

6 characters. thats the minimum they ask you while registering at websites.

[godan]

i think it depends on what the password is for, all i know is i hate when places require certain things, like you must have x amount of numbers bla bla bla i like my pass to be whatever i want it to be, the last thing i need is another random password to remember just to log on to a message board or sometrhing, not that this one does that nind you..

[Brando569]

i if remember correctly 7 is the magic number. if a password hash is detected that it has more then 7 characters it breaks the hash in half and 'cracks' its like that so its speedier (it runs 2 smaller hashes at the same time instead of one large one) myself i just use a password with ASCII characters, numbers and letters thats more then 7 characters as of yet LC4 cant crack it, (havent tried 5) LC4 said it would take years to crack

[Lost Soul]

id say 8 for me ,, makes me feel a pinch safe some times lol

[rikgale]

8 is the way to go.

Pick a word you like and replace all 'O's and 'L's with 1's and 0's.

[Eonic]

You should not use passwords, period. Use passphrases. L0phtcrack is kind of obsolete in tools used for enumerating passwords. As mentioned earlier rainbow tables is the latest and will munch through passwords in seconds, regardless of which alphanumeric characters you may have used. There are rainbow table forums where they have collectively collaborated on creating large sets of tables for LM (LanMan) passwords. LM hashing is used by Windows for passwords <15 characters. Passwords/phrases >15 characters are automatically stored with NTLM hashing which requires considerably larger rainbow tables (many, many GB) to be enumerated accurately. NTLM hash is of course not foolproof, but increases the security and your sense of safety.

If you still wish to use passwords <15 characters, at least turn off the use of the LM hash. This can be done in many ways, one of which is this: (and all these changes require administrator privelieges)

WinKey+R >> secpol.msc >> Local Policies >> Security Options

Then find: "Network Security: Do not store LAN Manager hash value on next password change"

It is set to "Disabled" by default, change it to "Enabled" and reboot. Change your password and voila, you're done.

You could also take a look at thraslm from toolcrypt.org which removes the LM hash from the registry without a reboot. Link found here:

http://www.toolcrypt.org/index.html?thrashlm

As for the plain registry hack for the registry addicts and unattended cd creators like myself out there, you can change this key/value:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"LMCompatibilityLevel"=dword:00000000
"NoLmHash"=dword:00000000

Change To:
"LMCompatibilityLevel"=dword:00000003
"NoLmHash"=dword:00000001

Which changes the settings from both LM/NTLM to NTLM only. Just to clarify, disabling LM hash in this way will make the encrypted hash version of your password/phrase a lot more safer from rainbow tables. It does _not_ make it safe to use short passwords from other cracking methods like brute forcing, so I still recomend you to not be lax with what type of password you have. At least this way you do not need a >15 character password to get NTLM security. I hope this was helpful to someone at least, and in light of the Star Wars mood around now.. may the security be with you.

[Blam-O!]

A mim of 6 including at least one number. But the more the better, usually anyways....