Assuming the hacker has a reasonably fast connection and PC, below is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list, it's just a matter of time before the computer runs through all the possibilities -- or gets shut down trying.

 
Password lengthAll charactersOnly lowercase characters
3 characters0.86 second0.02 second
4 characters1.36 minutes0.046 second
5 characters2.15 hours11.9 seconds
6 characters8.51 days5.15 minutes
7 characters2.21 years2.23 hours
8 characters2.10 centuries2.42 days
9 characters20 millenniums2.07 months
10 characters1,899 millenniums4.48 years
11 characters180,365 millenniums1.16 centuries
12 characters17,184,705 millenniums3.03 millenniums
13 characters1,627,797,068 millenniums78.7 millenniums
14 characters154,640,721,434 millenniums2,046 millenniums

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase and special characters like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an eight-character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren't using any word in the dictionary. If Google put its computers to work on it, it'd finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable, but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But, if you're going to do that, how about using something that no one is ever going to guess and doesn't contain any common word or phrase in it.

Here are some password tips:

  • Randomly substitute numbers for letters that look similar. The letter "o" becomes the number 0 -- or, even better, an "@" or "*" (for example, m0d3ltf@rd instead of modelTford) .
  • Randomly throw in capital letters (Mod3lTF0rD).
  • Think of something you were attached to when you were younger, but don't choose a person's name. Every name plus every word in the dictionary will fail under a simple brute-force attack.
  • Maybe a place you loved, a specific car, an attraction from a vacation or a favorite restaurant?
  • You really need to have different user name and password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn't work if you don't use the same password everywhere.
  • Since it can be difficult to remember a ton of passwords, I recommend using RoboForm for Windows. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. To download it without having to navigate RoboForm's website, try this direct download link.
  • For Mac users I recommend 1Password (though RoboForm does also offer a Mac version). And I should also note that both of these applications have companion versions for iPhones and Android devices, so you can sync your passwords and take them everywhere you go.
  • Once you've thought of a password, try Microsoft's password strength tester to find out how secure it is.

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn't important because "I don't get anything sensitive there." Well, that e-mail box is probably connected to your online banking account. If I can compromise it, then I can log on to the bank's website and tell it I've forgotten my password and have it e-mailed to me. Now, what were you saying about it not being important?

Oftentimes, people also reason that all of their passwords and logins are stored on their computer at home, which is safe behind a router or firewall device. Of course, they've never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network -- after which time they will own you.

I realize that every day we encounter people who exaggerate points in order to move us to action, but, trust me, this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven't even mentioned.

Click here to become a fan of MSN Money on Facebook

I also realize that most people just don't care about all this until it's too late and they've learned a very hard lesson. But why don't you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn't completely in vain.

Please, be safe. It's a jungle out there.

John Pozadzides is the CEO of Woopra, one of the world's leading real-time Web analytics companies, and an expert in Internet architecture, infrastructure and security systems.