Skip to main content

Passwords Need at Least 12 Characters to Be Safe

Thanks to rapid increases in computing power, your confidential information is probably not safe unless you use a 12-digit randomized password, experts say.

Recent research from the Georgia Tech Research Institute (GTRI) indicates that to defeat a new generation of encryption cracking software, passwords need a length of at least 12 randomized characters consisting of letters, numbers and symbols. Anything else — a keyword, a birthday or a pattern of symbols — makes you an easy mark.

“Eight-character passwords are inadequate now ... If eight characters is all you use, and if you restrict your characters to only alphabetic letters, it can be cracked in minutes,” said Richard Boyd, a senior researcher at GTRI.

The need for increasingly complex security measures comes from two weapons in the hacker arsenal: commercial quality code breaking software and the supercomputer power of graphics cards and botnets, said Joshua Davis, a research scientists at GTRI.

Code breaking software uses two techniques to break through password protections. The first is a vast dictionary of common password phrases, which can crack simplistic passwords like “12345” and similar patterns. The other, brute force, simply tries every possible eight-character combination until it hits the right one. Brute force invasion used to require an unreasonable amount of time, but increasing computing power has allowed off the shelf computers to accomplish that task, Davis said.

Nevertheless, a password of 12 random characters that includes symbols is still an effective barrier to the brute force method.

“If you have a 12 character password, and if your password is a combination of just gobbledygook letters, I think only an intelligence agency or some well funded organization would be able to break it in a reasonable amount of time,” Boyd said.

Unfortunately, even a password of 12 random characters may soon become too weak to provide adequate protection. Computers will soon reach the power needed to crack 12 character random passwords, and certain kinds of computer viruses that monitor data directly from the keyboard can break a password of any size and complexity.

“If you have a Trojan that records keystrokes, you’re screwed,” Davis said.

But like every aspect of computer security, password protection is a game of cat and mouse between hackers and security experts. Some banks in Europe have already begun issuing their customers special handheld devices that generates single use passwords, Davis said. By constantly rotating the password, the device defends against Trojans, and alleviates the need to memorize multiple random passwords.

Of course, it’s only a matter of time until hackers figure out how to beat that technique as well.

“Any technique that’s in common use," Boyd said, "people have made some headway in cracking.”

Stuart Fox currently researches and develops physical and digital exhibit experiences at the Science Liberty Center. His news writing includes the likes of several Purch sites, including Live Science and Live Science's Life's Little Mysteries.