How secure are passwords with under 20 characters length?

I recently received a recommandation for setting my password to above 20 characters. The algorithm used for encryption is AES with a 256 bit primary key. How secure is a, let's say, 8 char password against brute force attacks for deciphering encrypted files?

I know that this is considered a good password size on most websites. One reason of this is that they can stop an attack after 3 attemps or so.


Solution 1:

This is an interesting article (see PDF print if web archive unavailable). It details how long it would theoretically take to brute force a password for different lengths and symbol sets.

Solution 2:

You might want to point whoever wrote that policy at this blog post from Bruce Schneier.

It's a good writeup of why the strength of passwords are the least of anyone's problems on the web.

Solution 3:

Look at the accepted answer in this post. Shows that even an 8 character password using the full range of characters can take ~10,000 years to crack!

Solution 4:

If you count the use of rainbow tables as brute force (opinions vary) then for 8 characters, using rainbow tables that include all the characters in the password, about 10 seconds. 20 character password (same characters, same rainbow tables), less than 30 seconds. The catch is that it takes a long time to generate the tables. Mine took about a month to generate on a 3GHz machine processing only at night. On the other hand, you only need to do that once.

The issue of trying to remember long passwords is easily solved by a combination of character substitution and using a phrase. Even something as simple a "#Fr3ddy M3rcury#" is complex enough for most uses, yet is remarkably easy to remember.

Solution 5:

Consider that an eight-character password may be remembered. A 20-character password will be written down.

And then someone can read it.