I wrote up the below in response to a question on a newsgroup about the best password length. It’s an old topic, but still very relevant. See my original piece here: http://www.securityfocus.com/infocus/1319
For Windows minimum password length, the difference between 7 and 8 is computationally negligible these days. 8 characters creates two halves of a LanMan hash (which is still created by default, both on servers and workstations). Enforcing an eight character complex password means users will typically put the special character (*&^%$) as the last character. (And many users will only create the minimal length password.) That leaves the first seven characters as alpha-numeric – which can be cracked with a small character set in a password cracker. The eighth character is then the special character, which is the first character in the second LanMan hash – so it will crack instantly in password cracker. You’ve then compromised a complex password of 8 characters in a matter of minutes.
If the password minimum length is seven, most users will make theirs seven, which means the special character is within the first 7 (probably last, but that doesn’t matter) which means in order to crack the LanMan hash, you’d need to run the cracker with the entire character set (not just alphanumeric) over the entire 7 character range – which will take a long time. Using this analogy, a seven character complex password will usually be tougher to crack than an 8-12 character complex password.
If you insist upon using 8, then make sure to set the registry key on all desktops, servers, and domain controllers to not create the LanMan hash. Then, run some of the freeware tools available to delete all existing LanMan hashes from the password history (as they can be used to help guess what the current password is).
Better yet, enforce a minimum of 15 characters. You should still run a tool to delete all the old password hashes just to be safe. With a 15 character password, it won’t save the LM hash, so it will be much tougher to crack.
I’ve done an experiment in the classroom on password length (before Steve Riley wrote an article on this – no offense Steve!). I ask each person on one side of the classroom to pick a password. They think up a password – one they would typically use at work. Don’t say it, just think of it. Then I ask people on the other side of the classroom to think of a passphrase. Don’t say it out loud- just think of it. I ask the first side of the room (password) to count the length of the password they thought of – and I ask the others (passphrase) to count the length of their passphrase. The first side of the room is usually sitting between 7 and 13 characters long. The second side of the classroom is anywhere from 20 to 60 characters long (rarely shorter than 15).
Asking users to think of passwords as ‘passphrases’ is a really good way to encourage long password length. It’s usually easier for a user to remember their passphrase, and it’s easy for them to change it next month (they can simply change a word or value in their phrase.) A good passphrase usually includes one or more spaces in the phrase – that helps with the special character (how many people put spaces in their passwords? not many…)
Therefore, if you want to go with a minimum less than 15, use 7, else do 15+ and educate folks about the coolness of the passphrase. Just don’t use 8. (See my article here – why 7 is better than 8: http://www.securityfocus.com/infocus/1319)
Eric's Musings on the Security World 