We have always gotten a lot of push back on enforcing complex passwords. Believe me as a person that works with a lot of passwords every day, I understand completely. But the data speaks for itself. In the picture below, note the difference between only lowercase and all characters.
What’s the most shocking of the statistics below? It’s that 4 digit pin number to your bank account, isn’t it? Absolutely insecure and under the best of circumstances broken in 1.36 minutes. See if they’ll let you use a longer one.
There is however, another very important take-away that you need to know about…
it’s the definition of All Characters. All Characters means that your password contains upper, lower, numbers and symbols and the letters do not form any known word.
So it’s something like !)@ftlgjsro2BB which is just awful to type and remember but it will take a hacker 154,640,721,434 millennia to break it. Perhaps it is worth committing to memory?
Still I have a easier solution to this problem. It’s the one that we use internally. It’s a formula and it goes like this: symbol symbol word word symbol symbol or symbol number word word symbol number
Here are a couple of examples of easy to remember complex passwords that do not contain any known word.
But those are words, you say? Yes but No, they aren’t. They are two unrelated words that when put together make nonsense and aren’t found in the dictionary. Complex password don’t have to be difficult and we do have to enforce them. If it wasn’t important we wouldn’t harp on it so much.