Originally published at: http://www.howtogeek.com/165108/are-short-passwords-really-that-insecure/
SuperUser reader user31073 is curious whether he should really heed those short-password warnings:
Re brute-force attacks, short passwords are more insecure than non-complex ones. The choice of possible passwords, B characters long, from a given number of characters A, is A to the power of B, ie AxAxA ... B times; the choice rises more sharply with increases in B, rather than A. For example, 5 to the power of 7 = 78125, 7 to the power of 5 = 16807.
remembering previous HTG articles on this subject, it would seem that the particular short password given would be safer than a long password such as my1BigButtShy because of the techniques used by a lot of Brute force techniques. These techniques include: common words, capitalizing the first letter of common words, and sticking numbers in between words. As random as the SuperUser's password example was, a longer one would be difficult to remember, thus making the password less useful. Therein is the tradeoff in this issue.
I think the answers are more geared towards on-line accounts than specifically for completely off-line such as TrueCrypt, Keepass, ect., for something like TrueCrypt it is (as said) completely off-line you start up your computer and it asks for the password, as long as you can enter a password there an infinite amount of times you will be able to brute force it, this is why a long random password is required as for each character you add the total possible passwords go up exponentially.
If we think of something like Keepass you have a single encrypted file I am sure there will be a way to have an automated system try every possible password in order to attempt to crack it, the same I'm sure could be said for a TrueCrypt container, if you had more resources you could duplicate said files and put them of more than one computer to crack to slightly reduce the time.
I have absolutely no idea if any programs or anything exist in order to attempt it or how fast they could work, from the top of my head the Amazon Cloud computer can only try passwords up to 8 characters is a reasonable time (a few days) after that you end up at years and centuries.
So I would say using a short random 8 character password is not good but greater than that should be OK (as in the thief who steals you computer will certainly not wait a year to try and decrypt your computer). All this relies that it's even possible to attempt to brute something like TrueCrypt automatically and quickly.
With Keepass you can set how many encryption rounds is needed to unlock your DB, setting that to a higher amount will prevent brute forces further as it will take more time to crunch the numbers.
The search engine Wolfram Alpha can be used to calculate the strength of passwords in terms of how long it would take a brute force attack to reveal the password. The site is www.wolframalpha.com.
Here is the link to the tool, with "password strength" entered in the input window.
You can also enter "number of day until Christmas", or "number of days since death of Julius Ceasar", of "current distance of Pluto from the sun". Quotation marks are not required.
Oops, I forgot to enter the direct link to the password strength:
In Wolfram Alpha, enter password strength of tj4T-b_3.5449
The time to brute force calculate that one is 2.813 trillion years at 100,000 passwords combinations per second. Note that other methods than bruce force, with massively-parralled computing or especially the advent of quantum computing, will change the solution time.
Yay! My Gmail pass is "very strong"!