Password security and a comparison of Password Managers

There are two general approaches to password generation and management:

Password Managers which store passwords and have the flexibility to apply different complexity rules to each password or to store a pre-existing password - often required when a password needs to be shared between a team of people. The downside of the storage approach is that the password storage (file/database) needs to be managed carefully - secured, backed up and synchronised to all the devices where you will need to use the passwords. If the password store is lost or corrupted you will lose all the passwords! Destructive viruses such as CryptoLocker can also make a password store unreadable.

Password Generators which use a hash function, like the SS64 password generator, are easy to use and will repeatedly regenerate the same password when given the same inputs but they do have some limitations, the only way to change a password is to enter a different main password or a different salt value. All the generated passwords are the same length. //

NIST recommend 80 bits for the most secure passwords to resist a brute force attack. There is no definitive answer to the question of the minimum password strength required to avoid all types of attack; it is a moving target; over time we all need to use longer passwords.

Entropy Maximum Time to crack at 350 billion guesses/Sec
59 bits 457.50 Hours
65 bits 3.342 Years
71 bits 213.92 Years
77 bits 13,690 Years
80 bits 109,527.95 Years
89 bits 56078315.93 Years.

GPU computer clusters can cycle through as many as 350 billion guesses per second. [offline guesses against a stolen password database/file]

Kerckhoffs’s principle - A cryptosystem should be secure even if everything about the system, except the key, is public knowledge