Skip to content

Creating a Super Password

By John D. Sutter, CNN
August 20, 2010 9:49 a.m. EDT

Want to keep your online data secure? You need a 12-character password,
researchers say.


Researchers now say computer passwords should be 12 characters
* The old standard — 8 characters — won’t stand up to
sophisticated hacks
* The news comes from the Georgia Institute of Technology
* Researchers say you can use sentences as passwords these days

(CNN) — Say goodbye to those wimpy, eight-letter passwords.
The 12-character era of online security is upon us, according to a _report
published this week_ (http://www.gtri.gatech.
edu/casestudy/Teraflop-Troubles-Power-Graphics-Processing-Units-GPUs-Password-Security-System) by the Georgia Institute of Technology. The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.
But when the researchers applied that same processing power to 12-character
passwords, they found it would take 17,134 years to make them snap.
“The length of your password in some cases can dictate the vulnerability,”
said Joshua Davis, a research scientist at the _Georgia Tech Research
Institute_ ( .
It’s hard to say what will happen in the future, but for now, 12-character
passwords should be the standard, said Richard Boyd, a senior research
scientist who also worked on the project.
The researchers recommend 12-character passwords — as opposed to those
with 11 or, say, 13 characters — because that number strikes a balance
between “convenience and security.”
They assumed a sophisticated hacker might be able to try 1 trillion
password combinations per second. In that scenario, it takes 180 years to crack an
11-character password, but there’s a big jump when you add just one more
character — 17,134 years.
Passwords have gotten longer over time, and security experts are already
recommending that people use full sentences as passwords.
Here’s one _suggested password-sentence_ ( from Carnegie Mellon University:
“No, the capital of Wisconsin isn’t Cheeseopolis!”
Or maybe something that’s easier to remember, like this:
“I have two kids: Jack and Jill.”
Even though advances in cheap computing power are making long, complicated
passwords a necessity, not all websites will accommodate them, Boyd said.
It’s best to use the longest and most complex password a site will allow,
he said. For example, if a website will let you create a password with
non-letter characters — like “@y;}v%W$\5\” — then you should do so.
There are only 26 letters in the English alphabet, but there are 95 letters
and symbols on a standard keyboard. More characters means more
permutations, and it soon becomes more difficult to for a computer to generate the
correct password just by guessing.
Some websites allow for super-long passwords. The longest one Boyd has seen
is at, a financial site that lets users create _32-character
( .
On _a Microsoft website devoted to password security_
( , the tech
giant tells the password-creating public not to use real words or logical
combinations of letters. That keeps you safer from a “dictionary attack,” which
uses a database of words and common character sequences to try to guess
the code.
The Georgia Tech researchers carried out a “brute force” attack when they
determined that passwords should be at least 12 characters long.
To do so, they deployed computer graphics cards, which are cheap and can be
programmed to do basic computations very quickly.
The processors in those cards run simultaneously, trying to guess all of
the possible password combinations. The more characters in a password, the
more guesses are required.
But if your password has to be really long in order to keep up with this
computational power — and if you’re supposed to have a new password for each
website you frequent — then how are you supposed to remember everything?
That’s a real problem, the Georgia Tech researchers said.
There are a few solutions, however.
A _website called Password Safe_ (
will store a list of passwords for you, but Boyd and Davis said it may still
be possible for a hacker to obtain that list.
Other companies sell tokens that people carry around with them. These
keychain-sized devices generate random numbers several times a minute, and users
must enter those numbers and a shorter password to log in.
Some sites — Facebook for example — are marketing their log-ins and user
names as a way to access sites all over the Web.
That’s good for the user but is potentially dangerous because if hackers
figure out a single password, they can access multiple banks of information,
the researchers said.
The reason passwords have to keep getting longer is that computers and
graphics cards are getting faster, the Georgia Tech researchers said.
“These things are really inexpensive — just a few hundred dollars — and
they have a performance that’s comparable to supercomputers of only just a
few years ago,” Boyd said of fast-processing graphics cards.
Maybe our brains will have to get bigger and faster, too. We’ll need some
way to remember these tome-like character strings.

%d bloggers like this: