04-16-2010 07:29 AM
I have witnessed a lot of unhappiness concerning password complexity requirements. I am starting this thread, hopefully, to lay most of it to rest.
Password complexity requirements are not in place so that you have to make a password you will never remember. Instead they are in place to ensure your safety and security. The reason behind the complexity requirements is that some 74.5% of all current passwords in the world are completely insecure. By insecure, I mean passwords that are part of any of the following criteria:
A) This is really the most common insecurity among passwords, a single word that can be found in the dictionary. The word may seem to be singular and unique to yourself, but it is not. The great majority of 'cracking' (password brute-forcing/guessing) programs start their process by trying words found in the common dictionary.
A sequence of numbers under 6 characters in length. After the said 'cracker' finishes with the dictionary, it then begins running numbers in sequence from 0 to 999999.
C) This one is probably the most over-looked password insecurity. It would be what I call the 'star identifier'. Alot of people assume that using famous people like for example, let's say John Elway, as a password meets the complexity requirements. Now, while using a password like 'broncos7' may seem secure, it is not. The people that write 'crackers' have caught on to this scheme, so after failing at the dictionary and integer based attacks, it will start trying 'star identifiers'. Using a 'star identifier' is never a good idea for a password.
D) This one is known simply as the 'god complex'. This one got its title by people literally using powerful symbols, such as 'god', as their passwords. Examples of such passwords are as follows: 'god','king','lord','master','jesus','man','#1','b
Now you may say "Well they should have people watching out for that." and you are completely correct, they do. However, these technicians are already busy trying to stop other 'crackers' from gaining access to the accounts of 200 other people that thought the exact same thing that you just did. Under that large of a workload the 'cracker' that is working your password may succeed. My point comes to be as such: why take the risk? Help yourself and help the technicians by opting for a more secure and unique password.
Thus the best passwords are built using these simple guidelines:
A) The password should never be part of something that can be identified with you (i.e. Your favorite sport.)
The password should never contain the names of loved ones.
C) The password should NEVER contain part of your name, address, phone number, etc...
D) The password should ALWAYS contain a symbol (i.e. !@#$%^&*()-+ [do please note however that '!' and '#' are the most common symbols used.]) whenever possible.
E) The password should ALWAYS be alphanumeric (containing a combonation of numbers and letters).
F) When possible, the password should be an average length of atleast 10 characters.