Orange Cubes

“I would recommend MegaCryption because it does what it says, handles our current needs and future needs that will arise, has more functions than other products, and the cost of the product was great. I would rate the technical support as a 10.”
- Major Northeast University

Password complexity requirements are designed to protect data. However, some complexity requirements can make data less secure, and some unnecessarily inconvenience users.

Password complexity requirements can be a jumble

Password hacks can come about in a number of ways. Passwords can be guessed, hacked by brute force, or stolen, leaving the data on your mainframe vulnerable. Knowing about different kinds of password hacks can help you design password complexity requirements that are right for protecting your data.

Some passwords can simply be guessed, especially if they are commonly used phrases such as ‘password’ or ‘password123’. Unfortunately, these passwords are used often enough that hackers can easily bypass security after a few attempts. When there is a breach at a major Internet service, the passwords get posted online, followed by a number of articles revealing the most common passwords. ZDNet published the top 25 passwords of 2012 shortly after major breaches at LinkedIn,, and eHarmony. The most-used passwords included password, 123456, 12345678, 1234, qwerty, 12345, dragon, baseball, football, letmein, monkey, abc123, and many other easy-to-guess words. Passwords like those make it way too easy for hackers.

RELATED: Have you read our free white paper Making the Most of Multi-Factor Authentication? Download it here.

Passwords can also be hacked through brute force attacks. The hacker uses software and powerful computers to churn through dictionaries of potential passwords or by attempting every possible character combination until he is in.

Finally, passwords can simply be stolen or owners can be tricked into revealing them. Theft of property or social engineering tactics could be employed to pilfer passwords. Users with multiple accounts can also be tempted to use the same password for many different services. Therefore, if a hacker could get someone to give up their password to one account, there’s a good chance that password will get them into many other services, or even into the mainframe!

Most systems enforce some level of password complexity requirements. Here’s an extreme example:

  • Passwords need characters from three of the following categories:
    • Uppercase characters
    • Lowercase characters
    • Base 10 digits
    • Nonalphanumeric characters
    • Any other Unicode character
  • Must be 8-12 characters
  • Cannot use any three consecutive characters from the username
  • Cannot use any three consecutive characters

However, how much of this complexity actually helps protect the password? It is important to determine what sort of complexity requirements actually result in greater security, and which just create user frustration.

Password length is probably the most powerful defense against brute force attacks. Of course, enforcing a limit on number of failed attempts before the system locks is also an effective way to fend off machines attempting many potential passwords. In systems that prevent many attempts, there can be more lax complexity requirements. If there is no limit on the number of login attempts permitted, passwords ought be long and complex to counteract brute force attacks.

Complexity requirements only help prevent the two types of breaches. A complex password is more difficult to guess, and a complex password of sufficient length is less vulnerable to a brute force attack. However, no amount of password complexity will help once passwords are stolen or if their owners are tricked into sharing them.

Some complexity requirements prevent users from using very secure but memorable passwords and force them into coming up with a new less secure and less memorable password. Thus, the user ends up with a less secure password and the likelihood that they will have to do frequent password resets. Also, limiting the length of passwords is rarely a good idea. Unnecessarily preventing users from using long passwords will often cause them to enter in something less secure.

A password’s strength is determined by length, complexity, and predictability. A long password is more secure than a short one; a complex one utilizing different kinds of characters is more secure than one that only uses a few; and an unpredictable password is more secure than one that could be easily guessed. A long, complex, and unpredictable password will obviously be strongest of all.

Your password systems should be set up to ensure passwords are sufficiently complexity to prevent guessing, but should not be so restrictive that users find it difficult to come up with an acceptable password. If you need a password system that can set proper, custom password requirements, allows for user self-service password reset, and has multi-factor authentication built in, check out ReACT – the number one self-service password complexity and reset tool for business on the market today.

If you enjoyed this article, Get email updates