How secure are passwords with under 20 characters length?

Solution 1:

You might want to point whoever wrote that policy at this blog post from Bruce Schneier.

It's a good writeup of why the strength of passwords are the least of anyone's problems on the web.

Solution 2:

This is an interesting article (see PDF print if web archive unavailable). It details how long it would theoretically take to brute force a password for different lengths and symbol sets.


Solution 3:

Look at the accepted answer in this post. Shows that even an 8 character password using the full range of characters can take ~10,000 years to crack!


Solution 4:

If you count the use of rainbow tables as brute force (opinions vary) then for 8 characters, using rainbow tables that include all the characters in the password, about 10 seconds. 20 character password (same characters, same rainbow tables), less than 30 seconds. The catch is that it takes a long time to generate the tables. Mine took about a month to generate on a 3GHz machine processing only at night. On the other hand, you only need to do that once.

The issue of trying to remember long passwords is easily solved by a combination of character substitution and using a phrase. Even something as simple a "#Fr3ddy M3rcury#" is complex enough for most uses, yet is remarkably easy to remember.


Solution 5:

Consider that an eight-character password may be remembered. A 20-character password will be written down.

And then someone can read it.