This article is based on the research conducted by researchers at the Georgia Institute of technology.
Their research primarily focussed on brute forcing passwords using powerful graphic cards that are available today on PCs. According to them, any passwords shorter than 12 characters could be vulnerable.
Most of the organization currently use either 6 or 8 character passwords. Considering this, 12 characters would be difficult to get a buy-in from the user community and implement.
So, should you be worried?
Not so much in my opinion if you have a proper implementation of other controls such as the following:
- Account lockout (after 3 to 5 attempts)
- A controlled way to reset passwords
- Proper verification mechanism for internal and third party users
- Proper monitoring which looks for unusual account lockouts and brute force attempts
- Proper segregation of duties
- Proper server hardening, privilege access control and monitoring
While it is good to have more characters in a password, it is not a major concern if you have multiple controls to protect against malicious use.
This is similar to the FPGA cracking that was introduced few years go to crack WPA keys and Bluetooth PINs, of course it is much more expensive than the graphic cards.