As part of writing my forthcoming "Windows 8 Power Users Guide" from Apress and "Troubleshoot and Optimize Windows 8 Inside Out" from Microsoft Press, there are inevitably chapters where I have to talk about security and, as a part of this, passwords.
In Troubleshooting Windows 7 Inside Out I included a table showing how long it would take an average PC of the day to crack passwords of varying lengths and complexities. Obviously for the new books this table would need updating and it's a good indicator of just how quickly processing power has moved on.
As an example of this in the last book, written in 2010, an 8 character password made up of both upper and lower case letters, numbers and symbols would have taken 2.25 years to crack. The same password now would take just 57 days. I have included the data in a table for you here, heat mapped with what I consider to be safe and unsafe password combinations. Where does your password fit in the table and how secure is it?
k – Thousand (1,000 or 10-3)
m – Million (1,000,000 or 10-6)
bn – Billion (1,000,000,000 or 10-9)
tn – Trillion (1,000,000,000,000 or 10-12)
qd – Quadrillion (1,000,000,000,000,000 or 10-15)
qt – Quintillion (1,000,000,000,000,000,000 or 10-18)
Moore's law has a lot to do with the shorter times it takes to crack passwords today when compared to just a couple of years ago. This theoretical rule states that the number of transistors that can be fitted into an integrated circuit doubles approximately every two years. When you also consider new programming methods to allow any PC to use the GPU on some graphics cards and the popularity of quad core (and even higher core count) processors we can see where a password that we previously considered safe now simply isn't. Indeed a very secure password that I used fifteen years ago has now been in the "cracked instantly" category for some years now.
My advice is to make sure that your password contains both upper and lower case letters, numbers and symbols and that it is at least 10 to 14 characters long. You can use numbers and symbols instead of some letters, for example the number 0 can be used instead of an o or O, a £ can be used instead of an e and a 1 can be used instead of an i or an L. You should also always avoid dictionary words (the first things password crackers look for) and easily guessable numbers such as the year of your birth.
My own password falls comfortably in the safe zone on the chart, much as this came as a relief to me, but another password that I use less often and that I considered safe is now in th red danger zone so I'll be changing that straight away.
You'll be able to read more about in the fall when the books are released, and there will be much more on security, safety and passwords included in each. This subject is, after all, extremely important to all of us as malware increasingly tries to guess the passwords to our email and other accounts, and that the use of Internet banking means there really is something to gain from being a criminal.