Basic Password Security: Think again. #nsa #&pals!

Shopping for an SSL certificate, I see cert keys must now be 2048 characters, not just the previous 1028.

… Such is the spying frenzy from our dear leaders, good job.

My clearly not-at-all-political point is this: isn't it time that we recognised that, to protect our biz and identities, we should be using mission critical passwords of, what, at least 128 characters? Or maybe just 64 if you change them each quarter?

So I just set up a mail server for a client, or rather the web hosting account with effective root access, yet the maximum password length was a mere 40 characters … this is for a mail server!

Sure, there are cases where we can add two-factor authorisation, IP deny/allow and what-have-you, but this is frequently not the case.

The web needs to catch up with the threat.

Related: How to Set Passwords *that-can’t-be-hacked


About the Author:

Olly Connelly (yeah, that's me) blogs at, polices WordPress security at and helps noobs build web servers at, so if you've got sleeping problems you know where to come.

Add a Comment