Short passwords are vulnerable - and by short, we mean 8-characters

[robkelk]

The Register: Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

Or under 15 seconds if you have applicable rainbow tables and a GPU. (And who doesn't have a GPU nowadays?)


IMHO, this xkcd strip has a good idea but doesn't implement it correctly. (For one thing, Mr. Munroe implies his password is 25 elements {letters} long when it's actually 4 elements {common dictionary words} long.)

[Star Ranger4]

Funny, the register's article points out that said password in fact works quite well.; it even refers to it and the strip in question directly

And no, what you are overlooking here is that it doesn't matter if the password is 4 elements, the cracker has no way of knowing anything more than there are 25 charecters there, and therefore must brute force each one. The ease comes in on the human side, where one uses personal memnotics associations to more easily create the long string needed.

[hazard]

Basically, when you are dealing with 'random asshole trying to get access to your account' it matters how long he has to spend cracking your password because he has no specific need for you in particular. In such cases having a long but easily remembered password works fine because he's unlikely to access your personal records and history for hints, he just doesn't care enough. For the time spent cracking you he can have a dozen or more others. When you are dealing with 'somebody wants access to your account specifically' though that goes out the window and a random password generator becomes more reliably difficult to hack. Because he wants access to your account, and if that means some more legwork... he does that legwork, or has it done for him.