0

Why are we recommended to have at least 8 characters, and not 6 or 7 etc.? and the different set of character?. I only know that the longer the password is, the harder it is for brute force attack to take place. But why specifically 8 characters

NightMoon
  • 67
  • 5
  • 2
    Frankly, because various standards called for 8 characters. – schroeder Jan 27 '19 at 21:29
  • The better question is why not 10, 12, or 14... We are to the point where we really should be storing our passwords in a manner that supports using passphrases rather than passwords, and we should be using dictionaries for our passphrases that are a lot more than 8000 words. But for the fact that it's been posted online, `cwm thrash hudsUcker tangerine Betelgeuse anthrAx r!pple` might be a good password today - but it doesn't do much good if your passwords are stored as MD5 hashes, because they're only 128 bits, and even if you count just 3 bits per char, that's 171. – Ed Grimm Jan 28 '19 at 00:17
  • @Xenos yes, standards have changed, but I said that the standards *called* for. Many standards have been changed. – schroeder Jan 28 '19 at 09:43
  • @Sky the end of the duplicate's accepted answer explains the original reason why passwords were suggested to be 8 characters long: it was the maximum length of effective hashing of the original password hashing process. You could go longer than 8, but it didn't matter, so 8 as a minimum was the most secure password you could get. – schroeder Jan 28 '19 at 11:02
  • 1
    @EdGrimm There are actually no issues for using MD5 for **(unusually) strong** passwords. All currently known SHA-1 and MD5 vulnerabilities do not help password crackers. Developers should be using Argon2, but as a user you personally wouldn't be vulnerable if your password had 128-bit strength. Other users, yes, because weak passwords are common, but stored hashes of very strong passwords are always safe if a pre-image resistant hash is used. – Future Security Jan 28 '19 at 21:37
  • @FutureSecurity It's not about the hash vulnerabilities; it's about the fact that there's more significant bits in the password than in the hash, so it's likely that there are many other values that length or shorter that will hash to the same value. I wouldn't know how to find them without using brute force, but if someone is using brute force already, I can't guarantee it will take them as long to crack the 16 byte hash of my 57 character password as it would take to crack my 57 character password. – Ed Grimm Jan 28 '19 at 22:17
  • It doesn't matter how many collisions exist, @EdGrimm. Not even if it's infinitely many. The chance of finding a pre-image (an input value that hashes to a chosen output) is 2^-128 no matter how many candidate passwords a cracker tests. It doesn't matter if it's the first. second, third, thousandth, billionth, or duodecillionth. The next input you try is still going to produce one of the output you're not looking for precisely 99.999999999999999999999999999999999999706126412294428123007815865694438580545333610806978119622812073430395685136318206787109375% of the time. – Future Security Jan 29 '19 at 15:48

1 Answers1

0

You're right to state that password length recommendation is usually directly related to how hard it is to bruteforce attack it. When you combine this with the understanding that sophistication of attacks as well as computing power are increasing, it should follow that at some point in the past, based on computing power available, 8 characters was the "right" recommendation, and prior to this it could have been 6 or 7. Neither are the right recommendation today.

As computing power increases and sophistication of attacks increases, recommended password lengths will increase as well, to a point where it isn't feasible to use passwords which are any longer.

HackneyB
  • 319
  • 1
  • 6