April 29, 2012, 5:02 PM —
The challenge today is, of course, that most of us have too many accounts on too many systems. Remembering a very large number of passwords is nearly impossible. We systems administrators have an especially challenging time because we often have to remember dozens if not hundreds of passwords for the systems we manage in addition to those associated with our personal accounts on facebook, twitter, gmail, linkedin and a pile of other systems we use.
So how should we define what constitutes a good password and how do we go about enforcing good choices?
For one thing, the length of a password makes a difference. This cannot be stressed enough. For every character that is added to a password, the number of possible passwords increases as many as 90 times if the full set of 26 lowercase letters, 26 uppercase letters, 10 digits, and 30 or so special characters can be used. It's simply a matter of math.
In the last couple of years, the password length recommended by security professionals has gone from eight to twelve characters. And that's twelve characters at a minimum! That's a huge increase! This recommendation derives from some research that was performed at the Georgia Institute of Technology in which researchers used clusters of
graphic cards to crack eight-character passwords and found that they could do it in less than two hours. Yes, graphics processors -- system components designed for highly parallel
processing in order to meet the needs of today's gamers -- were deployed in password cracking.