Last updated on February 10, 2021
What is password complexity?
Note: This is merely a guide. Password policies will vary between companies and websites. This guide is merely a starting point to encourage further interest.
Below is an example of password complexity policy you might see in the corporate world:
- Passwords must be at least 12 characters in length with the following requirements:
- No common dictionary words
- No repeating instances of 3 characters in a row (For instance…Passsword)
- Use the categories below at least once:
- Uppercase letters
- Lowercase letters
- Special characters
Some best practices that would improve the policy above:
- Replace letters with special characters:
- Instead of ‘Password01’ try ‘P@$$word01’
- The longer the better.
- Avoid re-using passwords/passphrases.
- Use passphrases with the above requirements and suggestions.
The goal of these password policies is to protect information systems against brute force and dictionary attacks. These password methods also help protect against social engineering attacks, but personnel awareness and training are much more important there. The complexity and randomness of passwords/passphrases provide protection against the mathematical approach to crack passwords/passphrases…a real threat given the power of computing today and the proliferation of botnets.