On page 18, in the discussion of how much faster brute-force cracking has become since 2006 (when I estimated it would take 21 years to crack an eight-character password by brute force, and centuries to crack a nine-character password), I say:
As of late 2012, nine-character passwords containing upper- and lowercase letters, digits, and symbols can be cracked by brute force in—are you ready?—five and a half hours.
Based on the Ars Technica article I reference there, I should have said that eight-character passwords (not nine) can be cracked in five and a half hours. According to my calculations, at the same rate, a nine-character password would take at most 475 hours, or just under 20 days, to crack. That’s much better than five and a half hours, to be sure, but still several orders of magnitude shorter than the “centuries” I thought such a password would be secure just a few years ago. I’ll correct this error in the next update to the book—but for all I know, password cracking may have become so much faster in the last few months that my initial statement was accurate after all!