Essentially, Baekdal shows that while a single word is useless as a password because it is easily cracked using common hacking methods, stringing together a few words using a separator like a space, dash, or similar character can catapult a phrase like "this is fun" into secure territory, as you can see in this chart:
In fact, Baekdal goes on to say that by using 3 words in a password, it can take over a million years to crack using brute-force or almost 40 million years using a dictionary attack. That makes this approach 10 times more secure than using a gibberish string like J45sx>2.
If you have control over the log-in procedure at your server, Baekdal further suggests adding a time delay between sign-in attempts and a penalty period if the wrong password is entered several times in a row. These two practices can essentially convert even a 2-word password, which is crackable in just a few months, into something that sustain continuous attack for almost 2,000 years.
Of course, all of these time estimates will continue to drop as computers get faster and computing power gets cheaper, so it pays to periodically review how you secure your corporate and personal data. But for now, it looks like this more straightforward password strategy could make a lot of sense. [via Lifehacker]
More on BNET: