Once an attacker gains access to your machine, one of the first things he will do is dump the password hashes. The attacker can then run the hashes through various password-cracking tools. These tools try most tricks people use today (i.e. replacing “a” with “@”, replacing “e” with “3”, keyboard patterns, etc.)
In the past, security researchers thought that 8-character passwords with 3-factor complexity (uppercase, numerals, and special characters) would provide sufficient level of security. However, auditors base this recommendation on the National Institute of Standards and Technology (NIST) "Green Book" of 1985. These recommendations are based on cracking passwords on a network supporting a 300-baud service, allowing 8.5 guesses per minute.
Using Tribridge standard issued laptops, I have cracked weak passwords with 8-characters or less in a few seconds. Time varies based on the password complexity and the encryption used by the system creating the password hash.
Often times the complexity of passwords can cause users to write them down, which contributes to an insecure environment. The Tribridge Security Team, along with many security researchers, now recommends using 18-character alpha numeric, non-complex passwords. Depending on the encryption used, it could take billions of years to crack passwords of this length.
18-Character vs. 12-Character Passwords: Which is Better?
You may be wondering why we recommend 18-characters vs. 12-characters. According to the password calculator link posted above, a 12-character LanMan password (Windows XP) would take over 124 years to crack. However, in 1985, 300-baud was normal. Processing power will continue to get much faster. Recently one security researcher built a 25 GPU (graphics processing unit) system that was able to cycle through 348 billion NTLM password hashes per second. That is a little bit faster than my laptop.
Lengthy non-complex passwords may seem complicated but they can be easier to remember than complex passwords. Use a familiar phrase or sentence. Using familiar phrases as passwords can even reduce the number of helpdesk calls for password resets.
We still recommend that companies expire passwords every 90-days. I know, now you are saying to yourself “but my 18-character password will take 38-billion years to crack”. That my friends, is a topic for another day.