Earlier today Jeff Atwood tweeted:
you should *really* be scared if your passwords are all lowercase. 12 chars in 75 days on my box..
He was referring to his post on speed hashing where a video card GPU is used to calculate the hash of any given text. Compared to a computer CPU it does it much faster.
all 6 character password MD5s 47 seconds
all 7 character password MD5s 1 hour, 14 minutes
all 8 character password MD5s ~465 days
all 9 character password MD5s fuggedaboudit
It’s honestly scary and really time for everyone to use pass phrases. They’re not perfect either but they’re better because they’re longer and easier to remember. Some of my passwords are not phrases yet, this pass phrase generator (or this one) should help make it easier to change those.
* obligatory xkcd cartoon.
It is 2012, I’m hoping most folks are using bcrypt, with a salt and a reasonably large number of rounds. That would dramatically reduce the speed of generating all possible hashes. It is well past time to stop using MD5 for storing password hashes.