Password Complexity
      Back to home
      1. INFO CENTER
      2. Password Complexity

      Password Complexity

      What should a password look like?

      TEKRiSQ shield

      Password complexity is a measure of how difficult a password is to guess in relation to any number of guessing or cracking methods.

      In some cases, the term is also used to refer to requirements for password selection that are designed to increase password complexity in the interest of better security.

      Password complexity is important because guessed passwords are a common avenue for attack, and thus, for data breaches. When passwords can be guessed, individuals other than the owner of an account or resource are able to access that account or resource without permission.

      Password complexity has become more important in recent years because of the rise of so-called "brute force" attacks, in which computer software is used to try to guess a password, often by trying thousands or even millions of combinations of common words, names, and already known passwords from previous data breaches.

      Password complexity guidelines often require users to create passwords according to particular rules—for example, the inclusion of a minimum number of special characters, numbers, lowercase and capital letters, and so on. These requirements, however, often have the effect of making passwords very difficult for users to remember and enter, which may have the paradoxical effect of reducing security as users seek to find ways to remember their passwords—for example, by writing them down or saving them in a convenient place.

      The US National Institute for Standards and Technology (NIST) has determined most password complexity guidelines to be outdated for this reason, and does not endorse most password complexity requirements. Instead, many experts now recommend the use of passphrases—very long passwords that are easier for users to remember, such as "YellowBoatCubumberNevadaIceCream" or "SevenSharkFitnessFandom" for example.

      By virtue of their length, passphrases remain difficult to "brute force," but by avoiding the most onerous complexity requirements, passphrases enable users to remember passwords without storing and retrieving them in insecure ways.

       

       

       

      Passwords must:

      • Be a minimum of eight (8) characters in length
      • Contain a least one (1) character from three (3) of the following categories:
        • Uppercase letter (A-Z)
        • Lowercase letter (a-z)
        • Number (0-9)
        • Special character (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
      • Be private.

      Passwords must not:

      • Contain a common word, proper name, your username, your email address, your first or last name.
      • Have been used in the last ten (10) passwords.

      How to set password policy in Active Directory

      A strong password policy is any organization’s first line of defense against intruders. In Microsoft Active Directory, you can use Group Policy to enforce and control many different password requirements, such as complexity, length and lifetime.

      The default domain password policy is located in the following Group Policy object (GPO): Computer configuration -> Policies -> Windows Settings ->Security Settings -> Account Policies -> Password Policy

      Starting from Windows Server 2008 domain functional level, you can define fine-grained policies for different organizational units using the Active Directory Administrative Center (DSAC) or PowerShell. 

      Password age

      Previous NIST guidelines recommended forcing users to change passwords every 90 days (180 days for passphrases). However, changing passwords too often irritates users and usually makes them reuse old passwords or use simple patterns, which hurts your information security posture. While strategies to prevent password reuse can be implemented, users will still find creative ways around them.

      Passwords especially susceptible to brute force attacks

      It’s wise to use discourage or prohibit the following passwords:

      • Easy-to-guess passwords, especially the phrase "password"
      • A string of numbers or letters like “1234” or “abcd”
      • A string of characters appearing sequentially on the keyboard, like “@#$%^&”
      • A user’s given name, the name of a spouse or partner, or other names
      • The user’s phone number or license plate number, anybody’s birth date, or other information easily obtained about a user (e.g., address or alma mater)
      • The same character typed multiple times like “zzzzzz”
      • Words that can be found in a dictionary
      • Default or suggested passwords, even if they seem strong
      • Usernames or host names used as passwords
      • Any of the above followed or preceded by a single digit
      • Passwords that form pattern by incrementing a number or character at the beginning or end

      TEKRiSQ+shield