By Bruce Schneier, author of recent book, Carry On: Sound Advice from Schneier on Security
I’ve been reading a lot about how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications, but you have to choose a good one. And that’s hard. The best way to explain how to choose a good password is to describe how they’re broken. The most serious attack is called offline password guessing. There are commercial programs that do this, sold primarily to police departments. There are also hacker tools that do the same thing.
As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously.