At the recent Marconi Society symposium, a speaker asked the sardonic question (I’ll paraphrase), "Who did more harm, the author of the Morris worm or the programmer who limited Unix passwords to 8 characters?" He was implying that forcing short passwords made them easily guessable – a bad thing. The problem of password limits is not gone.
Websites today limit passwords to artificially short lengths. Today, I was limited to 12 characters. While that appears sufficient, it is too short for some purposes. Hackers or thieves who get password files (the passwords will be encrypted) will be able to discover the passwords if they try hard enough. The detailed answer takes math, but I’ll include it (in a different font) for those who don’t shudder at the thought:
12 character appears to be enough. With each character in your password you have (worst case) 256 possible choices. That’s 2**8 choices (2 to the 8). In practise, it’s fewer, but let’s consider the worse case for now. With 12 characters, that’s (2**8)**12 = 2**96 possible 12-character passwords. If you include all 11-character passwords, etc. that almost doubles the total, so let’s say 2**97 possible passwords total.
It appears too hard to be worth trying. A hacker trying all possible passwords would try each one "brute force" and it would take on average half (2**96) before he stumbled on the right one. With the password, he drains your bank account, in my case $100
That sounds like a lot of passwords to try, too many to make this approach practical: if 2**56 possibiities takes a day, 2**96 possibilities would take a trillion days. So we’re safe with 12-character passwords, right? Let’s think again.
But it’s not as hard as it looks. There really aren’t 256 possible characters to use in passwords, it’s more like 94 (the alphabet in upper and lower case, and normal keyboard characters like !, @ and #). This results in 2**74 possible passwords to search, on average, a reduction by a factor of a million. If you used only lower case and numbers, that’s only 2**62, which means these passwords can be cracked in 64 days! Hackers have botnets (thousands of computers that they can control) and plenty of time.
The point is that passwords should be long, random and hard to guess, otherwise, well, it’s going to be guessed. If they are hard to remember, store them somewhere safe where you can look them up. The more important the login account, the stronger the password. Banking passwords are more serious than FaceBook.
And if you come to a site that limits you to 6, 8 or 12, tell them "bigger is better".