Let’s face it. We’re all losing the password length arms race.
Today’s GPUs can process two teraflops (a trillion floating-point operations per second), which means that my nephew’s high end gaming PC has roughly the same processing power as a multi-million dollar super computer did ten years ago.
Thanks to the power of the GPU and modern algorithms like rainbow tables, there are now commercial products available that can churn through nearly 3 billion passwords a second on a standard desktop computer
This may prompt the more conventional among us to follow the advice of a pre-eminent researcher in the field like Richard Boyd, who recommends a minimum password length of 12 characters to protect against brute force attacks.
Then again, you might be inclined to follow the Adobe way and try to outwit hackers with some cutting edge reverse psychology self-defense.
I know…you’re probably wondering why any moron ever thought it was a good idea to limit the password length as part of their security policy.
But think about it…
If I were a hacker, I would naturally assume that such a pre-eminent software company like Adobe would require at least a minimum of 12 characters. As a result, I would tailor my brute force attack to focus only on lengths above that threshold, thereby making their systems impenetrable.