Time to add another digit to your password?

I was reading an interesting article today that estimates the time required to crack a password (using brute force) for various types of passwords. You think your "paSSw0rd" is secure because you used mix-cased characters and numbers? Well it might be for someone with a Pentium 100 and a short attention span, but anyone willing to wait 1.5 years to crack your password will get your data. However, someone with a strong workstation doesn't need to wait that long - 25 days is all he needs.

So let's say you are even more sophisticated, as I used to consider myself, and you add some symbols to your password. I always thought my password was super-secure because it used mixed-case letters, numbers and multiple common symbols - something like "pA$$w0R@". However, according to the chart, this password could be cracked in 2.25 years with a reasonably strong multi-core workstation. This may seem like a long time, but it really isn't - your password should last as long as the value of the contents require - my banking information will likely remain valid for the next 10-20 years. For me, 2.25 years is simply not enough. So maybe I should add one more digit?

Before adding just one digit, consider a distributed network of machines like distributed.net is using for their RC5 project. This project recently showed that it was capable of trying 139,285,658,551 passwords a second!! That's 139 Billion keys (yes, that is a B) per second. Simply amazing. With a system like this, a hacker could break your 8 character password (that includes symbols) in 83 days.

Adding a single digit would increase this time to about 22 years to crack, which is still a little too close for my liking. After all, in 20 years machines will be a million times faster, so the equivalent of a Pentium 100 in 20 years will be able to crack your password in about 2 hours.

I think it's time to ditch the 8 character password and use something more reasonable like 12. This would expand the keyspace size by 84 million times. This would cause a network like distributed.net to take 20 million years to crack. Even in 20 years, the it would still take 20 years to crack.