Password Complexity vs Length

This is a debate as old as computers themselves. The popular choice for the past ten years or so has been to choose a moderate length complex password. Even Microsoft tries to force domain users in default group policies to use a “complex” password. I agree using more characters is generally a good idea, but I recommend a longer password over a complex one. At NBG Networks we crack a lot of passwords for our customers and from our experience, the longer concatenated words or phrases take us longer to crack. The computing horsepower these days is such that even a 7 or 8 character complex password with numbers and symbols doesn’t take very long to break.  Especially when utilizing cloud computing platforms with GPU based cracking techniques.

Users are less likely to write the password down on a sticky note stuck to their monitor when it’s less complex.  And a 15 or 16 character password even without symbols is nearly impossible to crack given time and speed constraints.

These are NBG Networks Golden Rules for Passwords:
  • Choose words that won’t be in a basic dictionary. If necessary modify words that are. Think “appple” over “apple.”
  • String multiple words or phrases together with numbers.
  • Keep it longer than 12 characters
  • Do not post your password requirements online. It makes it infinitely easier for an attacker to tailor an attack to your environment if they know your company’s requirements and recommendations.
  • Consider your password reset mechanism; many attackers target the reset options because they are simpler than the passwords themselves.
Comic courtesy of xkcd.com

password_strength

Follow Me

Nick Gibson

Nick Gibson is a United States computer security expert and founder of NBG Networks LLC. He has worked in security regulated industries like healthcare and finance for over a decade.
Follow Me

Latest posts by Nick Gibson (see all)

No Comments Yet.

Leave a comment