What Makes A Password Bad Or Good?

If you're not a security expert, it's hard to understand why password complexity is so important. There's a whole world of information leaks, system breaches, and failed security that the general public doesn't see, and the high stakes are hidden under the hood so to speak--the job of any good Information Technology (IT) department is to go unnoticed if there isn't a problem. To figure out why your passwords are rated at different levels and why it matters, here are a few password security details.

Why Do Passwords Need To Be Complex?

To understand complexity, you need to understand what simple means. A simple, unsecure password is usually a dictionary word, which is any word that appears in a standard dictionary in the website or service's main languages.

These are a problem because of an old, far beyond perfected style of password breaking called brute force and dictionary hacking. A brute force attack simply jams in different password possibilities in rapid succession with no rhyme or reason, while the dictionary attack part cycles through words in the dictionary.

Many websites include a maximum number of tries to get through a password, but this can be circumvented by just adding a timer. Although many websites send alerts when password attempts happen, not all users actually check their emails or phones for these alerts. It works, and the only reliable way to stop such attacks is to stop you--the user--from using simple passwords.

What Is Password Complexity?

To morph a basic password into a complex password, various techniques are used. You'll probably recognize these techniques as rules that you have to follow at some websites:

  • One upper-case letter
  • One lower-case letter
  • One number
  • One special character ([email protected]#$%^&)
  • Password must be at least (number here) characters long

Adding numbers and special characters breaks away from the dictionary attacks because official dictionary words don't include numbers or special characters. Including both upper and lower case characters also creates a challenge for brute force attacks because lower case a is considered a different character from upper case A. Typing APPLE or apple instead of ApplE is incorrect, because the case (capitalization) matters.

The length of the password increases the number of added guesses needed to successfully crack a password. There is no industry standard, but 6-8 characters is the usual minimum. It is incorrect to think that even longer passwords add just as much security, because security professionals also need to worry about users forgetting their passwords. 

The unfortunate result in many high security systems--especially in government and military--is that users get tired of the complex system and enter passwords such as [email protected]#$%^. That's just pressing the top letter row and number row with shift, then without shift. It's complex, it's long, but it's easily guessed.

Some security systems can block certain patterns. In the above password, QWERTY is actually a commonly blocked set of letters, and may become a dictionary word. QWERTY is actually the name of the keyboard layout used most commonly in the US, and is by 2017 a known "cheat" for people looking for easy passwords. ASDF, ZXCV, and other straight down the row passwords are also considered.

You can still run into many systems that still allow such passwords, but don't risk it. Instead, use a password manager to create a complex password for the system while maintaining your own easy to remember master password. 

Contact a password management professional to discuss how the system works, and to find out whether the complexity plan is right for you.

Click here for more information regarding this.