In the wake of the eHarmony and LinkedIn hacks, many people have been thinking about the strength of their own passwords. A secure password isn't difficult to come up with. The harder part, from what most people tell me, is trying to remember it. Well, the difficulty of cracking a longer, more secure password makes the difficulty of remembering it worth it. To get an idea of how much a more secure password really secures you, an interesting "interactive brute force password 'search space' calculator" from Gibson Research Corporation will tell you just that. One of the most common passwords, ("password" without quotes), a web-attack based attack assuming 1000 guesses per second would take 6.91 years to guess. Sound high? An offline attack, assuming one hundred billion guesses per second (not too far-fetched), would take all of 2.17 seconds to crack it. If you had a massive parallel processing array devoted to cracking the password at one hundred trillion guesses per second, it would take a mere 0.00217 seconds to crack it. Not so secure after all, it would seem.
What can you do to have a truly secure password? Well, there's no such thing as 100% secure, but adding numbers and a symbol make it much harder to crack. More characters make it more difficult, as well. A password as simple as "secure@password3" would take 85.17 trillion centuries to guess at 1000 guesses per second; 8.52 hundred million centuries at one hundred billion guesses per second; and 8.52 thousand centuries at one hundred trillion guesses per second. Take out the "@" and "3" and you're left with 21.33 million centuries, 21.33 weeks, and 1.11 weeks (with the amount of guesses per second respective to the last list). The creator of the calculator recommends a 10-character password of letters and numbers, with a symbol thrown on at the end. This is a good balance between length, difficulty to remember, and strength. Please use random letters and numbers, as a dictionary-word makes racking much easier.