Simplifying Password Complexity
Simplifying Password Complexity
Simplifying Password Complexity
Page 2 of 7
Complexity Issues
When a new system is introduced or security on an existing system is increased due
to the introduction of more sensitive information assets, then the change in ‘user
culture’ must be carefully managed. A project introducing a new system can be
doomed to failure if the users resist so much that the new system does not used to its
full potential and therefore does not bring the business benefits promised in the
business plan or PID.
If we have assessed the level of authentication and identification appropriate to the
system then to reduce the resistance for having complex passwords, all users need
to have a degree of awareness for the reasoning behind it. It is best practice (and
mandatory for compliance with some governance standards) for all users of business
system to receive at least annually some form of security awareness training. This
training should include good factual explanations for the need for the password policy
being implemented. Training needs to include an explanation of the ways that
attackers can discover weak passwords, through such means as dictionary attacks
and social engineering techniques. However in addition to this what can really make
a difference is to explain to a user how they can generate strong passwords that are
relatively easy for them to remember. There are many ways that this can be achieved
but my personal favourites include those listed below:
There are four types of character that can be included in a complex password:
Lower case alphabetical characters (abc etc)
Upper case alphabetical characters (ABC etc)
Numbers (0123456789)
Special characters (!@#$%^&*()_+[]\{}|;’:”,./<>?) (Although it must be noted
that not all systems will accept all of these characters, advice on this may need to
be sought from your helpdesk or local support).
Common implementations of complexity requirements may require that at least two
or three of the four types of character listed above to be necessary in a password for
it to be compliant with policy. Whether it is heeded or not, the majority of system
users will be aware that passwords should not consist of words, numbers or phrases
that could be linked or be directly attributable to them. So names and birthdays etc
are normally out of the question (taboo). However there are a few techniques shown
Page 3 of 7
Simplification Tips
These are all good techniques that can be used to obfuscate a known word or
number but these may still only be acceptable on a system where the requirement is
for minimum to moderate access security. Systems that require stronger or longer
passwords (or even passphrases) bring with them more difficult choices when it
comes to selecting the starting password. At the most extreme end of my personal
Page 4 of 7
Conclusion
However you choose to select your password, there are a couple of tips that makes
remembering a password somewhat easier.
On the day that you come in to work and discover that you have to change
your password, do not do it immediately. Take a little time to consider the
complexity options shown here but above all make sure that the base word or
phrase that you select is one that you know you will remember.
Then after you have changed you password, log off every hour or so
throughout the day and re-input the new password. It can be a bit of a pain to
do, but our brains work well with remembering things that we do repeatedly
and this will greatly assist you in remembering your new password the next
time you try to log on.
There will always be users fighting to resist change, but I am sure that the majority
users will accept the changes more readily, when an understandable justification for
the need for password complexity is given, and when provided with the knowledge
allowing them to create complex yet memorable passwords.
Page 5 of 7
Page 6 of 7
Page 7 of 7