When I set up a new account for my parents, they're always annoyed by my password choice: long, nonsense strings of letters, numbers, and punctuation characters. There's a reason for that though: if you can think up a password, someone else can crack it with hardly any effort at all.
The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. ... such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.
Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.
At any given time, Redman is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia's GeForce GTX 480 graphics cards. It's an "older machine," he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second.
What can you do to protect yourself? Use long, randomly generated passwords. And never, ever reuse a password.
Even powerful computation engines have trouble cracking longer passwords using brute force. Assuming such an attack checks for all combinations of all 95 letters, numbers, and symbols available on a standard English-language keyboard, it takes a matter of hours for a desktop computer with an Intel Core i7 980x processor to brute-force crack any five character password. Increasing the password length by just one character requires about a day; bumping the length by one more character, though, dramatically increases the cracking time to more than 10 days. Rob Graham, the Errata Security CEO who calculated the requirements, refers to this limitation as the "exponential wall of brute-force cracking."
So what can the average person do to pick a passcode that won't be toppled in a matter of hours? Per Thorsheim, a security advisor who specializes in passwords for a large company headquartered in Norway, said the most important attribute of any passcode is that it be unique to each site.
"For most sites, you have no idea how they store your password," he explained. "If they get breached, you get breached. If your password at that site is unique, you have much less to worry about."
It's also important that a password not already be a part of the corpus of the hundreds of millions of codes already compiled in crackers' word lists, that it be randomly generated by a computer, and that it have a minimum of nine characters to make brute-force cracks infeasible. Since it's not uncommon for people to have dozens of accounts these days, the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe. Both apps allow users to create long, randomly generated passwords and to store them securely in a cryptographically protected file that's unlocked with a single master password.
If you need help generating a strong master password, you could try my online Diceware pass phrase generator.