The column is wrong. Anything up to **at least** 14 characters long, including pure gibberish passwords, can be cracked in seconds via a rainbow table attack. Sorry, but there is no easy solution to this problem. Aggregators like Roboform simply shift everything to a single point of failure: get one, get 'em all.

Purely out of my own curiosity: does the 14 character threshold you mention take into account case-sensitivity and the ten arabic numerals, or is it assuming use of just the 26-letter English alphabet?

In principle, yes, the rainbow tables can be and are computed with all possible keyboard symbols, so even something like 'hF76&#kjsfBB' is cracked by a rainbow table.

In practice, the crackers have aimed specifically at particular Windows password systems. LANManager converts all characters to uppercase, thus reducing the security of passwords like the above; some password systems for older Windows OS's have a 14-character max limit for passwords, which accounts for this particular threshold observed in actual rainbow tables built for cracking.

With a big enough supercomputer (or a botnet!), bigger tables could certainly be (have been?) built.

Currently I'm using 17-character passphrases. They make sense to me, but would look like gibberish to anyone else. I don't use the first-letter system described in the article, just something unique to myself that's simple to remember. However, the author's system would provide adequate protection if the examples were all > 14 characters in length.

That assumes that the host requesting the password allows infinite incorrect entries without aborting the log on process.

No, it's actually premised on the most common attack on such systems, which is to either sniff or read the hashed passwords, and then to look them up in a table. This is not about trying passwords by hand live.

p40tomahawk, Rainbow tables can hardly crack anything that's under 14 chars; they can only crack passwords on certain versions of windows when the attacker has physical access to the victims computer. Tell me mr Know it all, how can you use rainbow tables against gmail, facebook or bankofamerica.com. You can't (as long as the user doesn't reuse thier windows passwords in those sites)

This is giving away too much to a noob, but anyway: a rainbow table can be used in any circumstance which allows the attacker to capture the hash, and in which the encrypting algorithm can be determined. Physical access to the machine is far from the only way to pick up someone's hashed password. [The remainder of figuring out how to perform this attack is left as an exercise for the noob.]