What is the minimum length password that you guys would recommend using? Currently, I use randomly generated passwords consisting of alphanumeric text, and I'm thinking about moving on to 256 bit passwords (32 characters).

How long would something like that take to crack via brute force? What about if rainbow tables are used?

I don't know a lot about the subject, but I know that brute forcing a 32 character alphanumeric password would take a very long time.
The minimum characters I would use for something like this is probably 10. That's not much, but the bare minimum. 32 characters would be an incredibly safe password. Although nothing is completely secure, you will have a good advantage.
Is this a password for your computer user?

It depends on the underlying system the password is for. The problem with a 32 character password is that it can be very hard to remember and causes people to resort to writing it down on a piece of paper.

Agreed, this is always a huge problem.
15 minimum. Oracleguy may be able to break this down to its specifics, but on Windows server anything less than 15 is defaulted to lanman hash by default. You can change it of course to use a different algorithm, but anything currently stored is still in lanman.
My suggestion is 20 characters alphabetic. Numbers are nice, but ask you're users to create pass phrases instead of words (with numbers if they can remember them). Phrases are really easy to remember and are always long.
'I love my dog, Sprinkles.' = 25 chars right there.

The bigger problems don't seem to be the length, but one of two things: writing them down (mentioned by oracleguy), and obvious trends. One of my buddies took two tries to guess his password. His name was Kirk and his password was C@pta1n. Even with uppercase, numerical and symbolic characters, it only took two tries. The password itself is fairly secure with its length and type of characters in use.

The best part about pass phrases is they can be written down. Not recommended, but you will always have users that write them down. The difference is, a potential threat with physical access to the machine will often overlook a passphrase, since it is not something that is commonly used as a password. Of course, this would depend on if the threat is an organizational threat or external threat - internal would know the standards in use.

the system I use for passwords is using 3 words that have nothing to do with each other, heres some examples

orangemoonbattery
glasstelephonewood
inkrubbermeteor

Is this a password for your computer user?
It's not really for anything in particular, just for curiosity sake. But I have already switched my windows password to a randomly generated, alphanumeric, 32 character password just for kicks - not that anyone would actually have a desire to access my box.

I was thinking more of using these types of long, randomly generated passwords for websites such as this one, but once again, nobody would really want to hack my account anyways (I hope).

Agreed, this is always a huge problem.
15 minimum. Oracleguy may be able to break this down to its specifics, but on Windows server anything less than 15 is defaulted to lanman hash by default. You can change it of course to use a different algorithm, but anything currently stored is still in lanman.
My suggestion is 20 characters alphabetic. Numbers are nice, but ask you're users to create pass phrases instead of words (with numbers if they can remember them). Phrases are really easy to remember and are always long.
'I love my dog, Sprinkles.' = 25 chars right there.
I did some preliminary research and found that the main weakness to LM hashes was that they encrypted passwords in two parts by splitting the password into sets of 7 characters and then running each individual part through the hashing function. The downfall to that is that the cracking process basically entails cracking a 7 character password, or in the worst case scenario, two 7 character passwords.

I heard that only Windows systems were susceptible to brute forcing because they are unsalted; whereas, Unix based systems have a unique hashing function due to the salt (which makes sense). But exactly how secure are NT hashes (hash used for passwords over 15 characters)? With a large enough rainbow table I believe that I've read they can still be cracked in a relatively short time frame.

The system I use for passwords is using 3 words that have nothing to do with each other, heres some examples

orangemoonbattery
glasstelephonewood
inkrubbermeteor
I was under the impression that these types of passwords were insecure because they would be vulnerable to dictionary brute forces. I suppose the issue concerns a tradeoff between memorability and security though; so I see where you're coming from.

It depends on the underlying system the password is for. The problem with a 32 character password is that it can be very hard to remember and causes people to resort to writing it down on a piece of paper.
...or on a postnote and put it under the keyboard, on wall, on the desk or on screen of the monitor, :)
for same reason generated password like njg&3#pfg are bad too.

best regards

It's not really for anything in particular, just for curiosity sake. But I have already switched my windows password to a randomly generated, alphanumeric, 32 character password just for kicks - not that anyone would actually have a desire to access my box.

I was thinking more of using these types of long, randomly generated passwords for websites such as this one, but once again, nobody would really want to hack my account anyways (I hope).

In cases like that you should consider your password for the account on the computer to only be a medium security safeguard since exploits in the OS can leave it vulnerable. Such as the thing a while about about using Firewire to override Windows passwords. Instead protect very sensitive data through actual encryption with a strong pass phrase.

if you are using passwords like the ones I put above, and someone tries to bruteforce it with a dictionary file, they would have to have that exact combination of words in their dictionary list. The chances they would have the exact words in the exact place as your password are slim.

To answer your question not very long at all.

Brute force and rainbow tables are used for entirley differnet methods of decryption.

Brute force will just try through every possible combination till...well it finds the password, you dont need to run this with a dictionary, no worries with dictionary cracking as you say you are using random. Modern dictionary crackers can though begin to recognise patterns, names and words that you would not find in the dictionary..ie abcd, asdfg, 1234. These are very easy to get your hands on online if you dont know how to program them yourself.

You would not use a rainbow table would only be used if you were "storing" your passwords as hashes.

Its something i did a while back, ethical hacking course, very informative and very scary to be honest. My knowlege is limited but i am sure there are people out there who will give you more information if you have concerns.

Old thread, but new question.

My son was able to crack my 8 character password in Window XP using a ISO format DVD to boot from (1 minute 40 seconds). I changed it to 15 characters and now he has a method for that as well. He reports it also works on Vista (don't know how long it ran).

Is there a 3rd party password program that works? Since Windows doesn't have one that works, I was wondering if anyone else did.

Old thread, but new question.

My son was able to crack my 8 character password in Window XP using a ISO format DVD to boot from (1 minute 40 seconds). I changed it to 15 characters and now he has a method for that as well. He reports it also works on Vista (don't know how long it ran).

Is there a 3rd party password program that works? Since Windows doesn't have one that works, I was wondering if anyone else did.

You mean he used a boot CD/DVD to change your Windows password? I've used those before usually to clear administrator passwords on computers when the password has been lost. There is little you can do when the attacker has physical access to the machine.

Old thread, but new question.

My son was able to crack my 8 character password in Window XP using a ISO format DVD to boot from (1 minute 40 seconds). I changed it to 15 characters and now he has a method for that as well. He reports it also works on Vista (don't know how long it ran).

Is there a 3rd party password program that works? Since Windows doesn't have one that works, I was wondering if anyone else did.
You could set a boot password. You could reset it or use a backdoor bios password which manufacturers usually provide but you need to know what company makes the bios for your system.

Windows passwords are quite worthless if the "cracker" have access to the hard disk data.

Even I you put a password in the Bios, you can clear it by removing the CMOS battery from the motherboard for a couples of seconds !when the computer is off! (at least it worked for me each times I did it). You can also put the hard disk in another machine to see the data it contains.

The only real solution is to use a hard drive encryption. If you have Vista Ultimate or Enterprise, you can use BitLocker Drive Encryption (http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption). There is plenty of third party software but don't know any (and I'm sure that they are for XP too).

When used with a good passphrase hard drive encryption take great firepower and time to crack.

Your probles is that your "attacker" have raw access to (unencrypted) data on your hard disk... Then he can use some tools to change/get data (in your case get/change the password). With encrypted hard disk the tool will only see "garbadge" data on the disk...