The definition of a “strong” password hasn’t changed for years. The standard five years ago and the standard still today is something like “at least eight characters including a combination of letters, numbers, miscellaneous characters and at least one uppercase letter.” Obviously different sites and applications vary somewhat.
I spoke with Dr. Joseph J. Ekstrom of the BYU IT department in the College of Engineering last Friday. JJ pointed out something that should have been obvious to me and to anyone interested in security. The ability to break a password is a function of Moore’s Law. The more computation cycles and the more memory available for the cracking program, the quicker passwords can be broken. Cracking techniques are also improving. One example is Rainbow Tables (see http://en.wikipedia.org/wiki/Rainbow_table). Per Wikipedia, “A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible.” Due to the effect of Moore’s Law on disk density, terabytes or even petabytes of disk are available to create lookup tables that can be used to crack passwords.
I believe this insight should have an impact on how we all view passwords. It should cause all institutions to take a close look at their password strength requirements as well as evaluating which encryption and hashing functions are in use in their systems. Personally I will be choosing stronger passwords in the future.