How long of a password do you need to be safe?

Say you start with a typical password of six characters. When you enter this into your computer's authentication mechanism, it is hashed and stored in a database. The hash, a fixed-sized string derived from some arbitrarily long string of text, is generated by a formula in such a way that it is extremely unlikely that other texts will produce the same hash value--unlikely, but not impossible.

Because passwords are not arbitrarily long--they are generally 4 to 12 characters--this reduces the search space should someone else try to find a matching hash to that of your password's. In other words, an attacker's password-cracking program does not need to calculate every possible combination of six-character passwords. It only needs to find a hash of a six-character ASCII-printable password that matches the hash stored in the password file or sniffed off the network.

Because an attacker cannot try to guess passwords at a high rate through the standard user interface (the time to enter them is prohibitive, and most systems can be configured to lock out the user out after consecutive wrong attempts), one may assume that the attacker will get them either by capturing the system password file or by sniffing the network segment.

Each character in a password is a byte. Printable ASCII characters are in codes 32 through 126. ASCII codes 0-31 and 127 are unprintable characters, and 128–255 are special ALT-characters that are not generally used for passwords. This leaves 95 printable ASCII characters.

If there are 95 possible choices for each of the six password characters, this makes the password space 95^6 = 735,091,890,625 combinations.

Modern computers are capable of making more than 10 billion calculations per second. It has been conjectured that agencies such as the NSA have password-cracking machines (or several machines working in parallel) that could hash and check passwords at a rate of 1 billion per second.

How fast, then, could an attacker check every possible combination of six-character passwords? 735,091,890,625/1,000,000,000 = about 12 minutes (See table below).

Mind you, this is the time needed to brute force every possible combination of passwords. In reality, password crackers first use dictionary and hybrid attacks before resorting to brute force. Thus, if your password is weak (i.e., easily guessed and not sufficiently random), the time to crack it will be much shorter.

What if the system forces users to have a seven-character password? Then it would take an attacker 19 hours to brute force every possible password. Many Windows networks fall under this category due to backward compatibility issues. Passwords on these systems cannot be much stronger than seven characters. Thus, it can be assumed that every password sent on a Windows system using LAN Manager can be cracked within a day.

What if the system enforces eight-character passwords? Then it would take 77 days to brute force them all. If a system's standard policy is to require users to change passwords every 90 days, this may not be sufficient.

It looks like nowadays, you need at least a nine-character password (which is not easily guessed or social engineered) to be "safe." This is at the upper limit of normal human memory, according to Miller's magic rule of "seven, plus or minus two".

#Chars       #Combinations                   Time to crack (hrs)

0                1                                        0.0

1                95                                      0.0

2                9025                                  0.0

3                857375                              0.0

4                81450625                          0.0

5                7737809375                      0.0

6                735091890625                  0.2

7                69833729609375              19.4

8                6634204312890620          1842.8

9                6.E+17                               2.E+05

10              6.E+19                               2.E+07

11              6.E+21                               2.E+09

12              5.E+23                               2.E+11

13              5.E+25                               1.E+13

14              5.E+27                               1.E+15

15              5.E+29                               1.E+17

16              4.E+31                               1.E+19

*Assuming 1 billion hash and check operations per second