For a pretty strong password, think 10. If your password contains 10 characters, you should be able to sleep well at night -perhaps for 19.24 years.
That's how long it would take hackers to try every combination of 10 characters, assuming that the password is encrypted and that the hackers have enough computing power to mount a 100-billion-guesses-a-second effort to break the encryption. But if your user names and passwords are sitting unencrypted on a server, you may not be able to sleep at all if you start contemplating the potential havoc ahead.
The hacker group LulzSec, for example, recently said it had gained access to Sony's servers, where it could get at names, home addresses and passwords for more than one million Sony customers: everything was stored in plain text form. It posted information for more than 37,000 user accounts.
Sony issued a statement saying that "we deeply regret and apologise for any inconvenience caused to consumers by this cybercrime."
Hackers would love to get their hands on a complete collection of all of your passwords, like those held at LastPass, a cloud-based password management service. At the instruction of its customers, LastPass stores user names and passwords on its server as each Web site is visited, then fills in everything automatically on subsequent visits.
LastPass reported last month that it had noticed some odd behaviour in its network traffic logs and might have suffered an online break-in.
Steve Gibson, a security expert and chief executive of the Gibson Research Corporation, a publisher of utility programmes for PCs, says he uses LastPass because its service adheres to his dictum that data "should be encrypted before it goes up to the cloud and then decrypted when it returns."
Gibson posted a Web page that allows visitors to see how long it would take for a computer to try every possible combination of letters, numbers and special symbols to crack an encrypted password.
Here's a little quiz: Which is the stronger password? "PrXyc.N54" or "D0g!!!!!!!"?
The first one, with nine characters, is a beaut. Gibson's page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)
Don't worry about the apparent resemblance of "D0g," with a zero in the middle, to the word in the dictionary. That doesn't matter, "because the attacker is totally blind to the way your passwords look," Gibson writes on his Web site.
Gibson says that as long as the password is not on a list of commonly used passwords and is not found in a dictionary, the most important password factor is length.