A new study has concluded that most people choose passwords that are far too short to be totally secure against brute force attacks from criminals. Researchers at the Georgia Institute of Technology are recommending that 12 characters becomes the standard length to ensure protection.
This conclusion has been reached as a result of a hacking test involving groups of computers which were able to guess an eight character password within two hours. This was possible because the cracking technique harnessed not only the CPU but the GPUs of each machine, giving the networked PCs far greater combined processing power.
12 character passwords are being named as the new golden standard in data protection because using the same process used in the Gerogia experiment would require up to 17,000 years for a password to be cracked; a margin with which most businesses and individuals will be comfortable.
A spokesperson for the institute said that it was not making use of any hardware which could not be acquired by the average consumer, before pointing out that the passwords chosen in the tests would be in common use across the public and private sector.
Researchers believe that seven and eight character passwords cannot be seen as properly secure by modern standards because of the increasing sophistication of the graphics processors available to malicious groups.
12 characters is better than both 11 and 13, because the former offers a much reduced 180 years of cracking time which could easily be whittled down with next generation hardware and the latter is that much harder for people to remember.
In order to protect data and personal information still further, it is recommended that where password systems allow the use of various non-standard characters such as punctuation marks and the @ symbol, they should be used. With a total of 95 usable letters, numbers and symbols on a standard UK keyboard the potential to create an uncrackable password is significant.
Several recent surveys have found that UK computer users are not keeping their details safe because they choose generic, easily guessable passwords which an intelligent human could predict relatively quickly. This report, which was also covered by CNN, shows that the problem for business users could be even more significant.