A poll, aimed in particular at people who think they understand the technologies around password cracking. Assume that there is at least one password that you need to be strong and need to remember & type not-infrequently. How many characters is enough for you to feel comfortable in 2024? Assume any char you can type easily is available.
[May need a follow-up poll if the majority is at >=12]
[Boost if you’re interested in the result]
@timbray IMO, the use-case is important.
For any place it's going to be stored in a database? I really don't care - it's going to be unique and if that site gets compromised and the password is stolen, I don't care if it gets cracked. They can already access my account, so as long as the password is unique, I don't care. It shouldn't be guessable against the form, so that's about 8. Let's say 8+ characters.
For a place I personally control (like FDE or my OS password)? I think 8-9 characters is fine, AS LONG AS I can tune the algorithm to make guessing very, very slow. If it takes ~1 second to check a password, an 8 character password is going to take on the order of 10**15 guesses which is like 200m years. Yes, you can parallelize, and yes, technology will improve, but it's much MUCH more likely you'll be compromised by a keylogger or camera or something.
For a place where it's weakly hashed and can be stolen (like Windows)? Again, I'm going to use a unique throwaway password because I assume if my password is going to get stolen, it's a keylogger. That's where I'd consider 12+ mandatory, if I wanted it to be safe.
So really..... it depends. :)
Tim Bray
Ron Bowes