I use the term Sufficiently Secure when describing passwords, pass phrases, and sometimes encryption and security practices in general. This is an explanation of what I mean by that term.
First, there is no such thing as perfect security. Somewhere, somehow, there is or will be a flaw that an attacker can exploit and until that happens, all we know is that things seem secure for the moment and we’ve taken as many precautions as we deem reasonable at the time. To help come to a conclusion, we can make assumptions based on current methods, attacks, and tools that are identified in the wild. Some of those assumptions may be proven to be faulty in time, but that is a risk I choose to take based on the given situation. From time to time I review my assumptions when it comes to security as new attacks are discovered and I encourage everyone to do the same.
Most commonly, I use sufficiently secure to describe a password or pass phrase. In that context, I currently mean that a credential should be at least 16 characters in length and be structured like a nonsense sentence complete with spaces and punctuation if possible.
The reason I use 16 characters is because based on the latest password cracking super hardware (as of 2015), and using an all lower case text only password, it would take 3 thousand years to brute force your way through all possibilities. Statistically, a brute force attack doesn’t have to go through all possibilities because the answer is found along the way. It’s common to assume that by half way through, there may be success. So that puts us at 1,500 years. Knowing that technology improves every year and that attackers can work together, we’ll cut that in half again to 750 years. I consider it to be very unlikely, but not completely impossible, that an attacker could improve on that speed substantially in the near future.
So if it will take an attacker 750 years to brute force a 16 character lower case text only password, I consider that to be secure enough to sleep at night. Add in a number or two, punctuation and spaces to form a sentence like “Pop d0g cumulus!” and that takes us to 1 trillion years. So I don’t have any fear of that being brute force cracked in anyone’s lifetime – even with substantial gains in technology and methodology.
Even if it was possible to construct a device to crack that password faster, by the time you weigh that option against other more straight forward options, it’s just not very likely to happen. Faced with the potential for hundreds or thousands of dollars in equipment costs, dozens of people having to work together, and the ultimate lack of any promise of success – an attacker would sooner pick up a gun and kidnap me versus trying to brute force a password like that.
What the attackers do (as proven time and again by real world interviews and forensic analysis) is take the path of least resistance. For example, an attacker may try to brute force a password for a few hours or days, but if that’s not successful quickly, then they move on to other methods. There might be some determined attacker that has been trying to brute force their way through a password for the last decade, but changing a password with any frequency at all thwarts all that work, so it’s extremely risky and comes with very little chance of success so why waste that much time?
Next year, next decade, maybe sufficiently secure might include more characters, or it might mean certificate based authentication only. Only time will tell. But for now, 16 characters in a nonsense sentence is what I call sufficiently secure. Nonsense sentences are often easier to make longer however, so 20-30 characters will be even better and more future proof.