Eight may be a good number at the craps table in Las Vegas, but it is the worst number for a minimum password length....
Seven is the best password length, but passphrases may be your best option. (See SecurityFocus.com for details on the weakness of the LanMan password hash.)
Because of human nature, a policy that requires "password complexity" and a minimum password length of eight will result in the majority of users picking passwords that are exactly eight characters long. The complexity part -- usually a number or special character -- often ends up as the eighth character of the password. This complex eight-character password becomes two passwords: a seven-character, all-uppercase alphabetical password, and a one-character number or special-character password.
Let's look at the password "Snowman!" This password meets typical complexity requirements -- it's eight characters long, uses uppercase and lowercase letters and includes a special character.
When a computer stores the LanMan hash for this password, it first makes the characters uppercase, then chops the password into two, seven-byte halves: "SNOWMAN" and "!" (Note: The LanMan hash is not stored by default on Vista and Windows 7 systems).
The first half of the password can be cracked in an hour or less with a password cracker. The second half can be cracked in less than a minute via the full-character-set options in the password cracker. Put it all together, and a typical eight-character complex password can be cracked in less than an hour.
However, if the minimum password length is seven characters, most users will make their passwords exactly that long. This means the complexity (the number or special character) is within the first seven characters of the LanMan hash. The cracking program would need to run the entire character set over the entire seven-character range, which will take a long time. Using this analogy, a seven-character complex password usually takes longer to crack than a complex password that's eight to 12 characters long.
You could set a 14-character minimum password length, but this may upset your users and create a run on Post-it notes (under the keyboard, in the desk drawer, etc.).
If you insist upon using a minimum password length of eight characters, make sure to set the NoLMHash registry key on all desktops, servers and domain controllers so as not to create the LanMan hash. Then, run some freeware tools to delete all existing LanMan hashes from the password history, because the prior passwords may be used to help guess current passwords.
Better yet, tell users to use a passphrase instead of a password. A passphrase is a combination of words or an entire sentence -- including punctuation -- like "I love my little blue car." This meets the minimum password-length requirement and has all the elements of a complex password including case sensitivity and special characters.
In a recent security training class, I conducted the following experiment:
Everybody on one side of the classroom was asked to think of a password they would typically use at work. Then I asked the people on the other side of the classroom to think of a passphrase.
I asked the first side of the room (password) to count the length of the passwords they thought of, and I asked the others (passphrase) to count the length of their passphrases. The results from the first side are normally between seven and 13 characters long. The second side of the classroom produces passphrases anywhere from 20 to 60 characters long (but rarely shorter than 15).
Asking users to think of passwords as "passphrases" is a good way to encourage strong passwords.
In addition, aside from being strong passwords, passphrases are often easier to remember and are simpler to change every 60 days. Your users will have more fun remembering their passwords, and your network will be more secure.
ABOUT THE AUTHOR:
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.