A mixed-case password that is eight characters long and contains a numeral and a symbol has long been considered strong, even by many IT departments. After all, it is one of 6.1 quadrillion combinations, and would take a reasonably fast computer nearly a year to crack.
That password, however, is no longer secure enough, thanks to human behavior and technology.
For starters, humans struggle to retain more than seven numbers in short-term memory.Adding letters, cases, and symbols makes remembering that much more difficult. As a result, humans tend to select words and names that have some personal meaning; they begin passwords with an uppercase letter and end them with whatever numerals and symbols are required. Therefore, it’s no surprise that, in a recent study of 6 million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts. The prevalence of common passwords makes it even easier for hackers to crack passwords.
Even more worrisome than non-random passwords is password re-use. The average user has 26 password-protected accounts, but only five passwords.
Advances in technology are further aiding would-be hackers. A computer loaded with the latest virtualization software and high-powered graphics cards can now crack an eight-character password in 5 ½ hours.
Source:
http://deloitte.wsj.com/cio/2013/07/11/the-8-character-password-is-no-longer-secure/?icontype=video