Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords - 64 Characters, Changed Daily?

Posted by timothy on from the too-much-overkill-is-never-enough dept.

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

2 of 645 comments (clear)

  1. One time use? by slykens · · Score: 5, Informative

    SecurID and its like are your friends.

    While you maintain a reasonably secure password you're not logging in without the token.

  2. Anderson's formula. by Anonymous Coward · · Score: 5, Informative
    How long does it take? Use Anderson's formula to figure it out.

    T = N/(PG)

    In this:
    1. T: The time units needed to guess the password
    2. G: The guess rate, or the number of attempts to guess the password in a single time unit
    3. P: The probability you want that the password is guessed. (Or use '1-P' to go the other direction.
    4. N: The number of possible passwords, usually A^l, where
      1. A: Alphabet used for passwords. E.g., There are 96 printable ascii characters often used in passwords. Or maybe its case insensitive, so subtract 26.
      2. l: The number of characters in the minimum password.


    So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly. :)

    Read more on Anderson's formula by googling. :)