There has been much news about the hack of the Gawker web sites. There has even been an analysis of the common passwords found.
This list is embarrassing in many ways. The most common password was "123456". The second most common password was "password".
Much has also been written providing advice on how to create good passwords. This article provides some interesting advice, none of which should be taken.
Anyone reading my blog, probably already knows the importance of strong passwords, so I am not going to reiterate the reasons here.
My target audience is more the folks defining password complexity requirements. A user cannot come up with a strong password, if we have complexity requirements that don't make sense.
With that in mind, here are a few guidelines:
Insist on long passwords. In some cases, you may need to change to allow a long password. I have seen many places that cap passwords at 8 characters. Passwords need to be at least 8 characters minimal. Consider how much stronger the passwords would be if you double the length. Passwords that are 15-20 characters will be that much harder to crack. There is no need to have limit passwords to 8 characters.
Don't Require Special Characters
Many complexity rules will require that your password include a capital letter, a lower case letter, a number, and one of the "special" characters, the shits above the number keys. The problem with such rules is that the resulting passwords are harder to remember. It also means that you will have a smaller set of characters in the resulting passwords. If you must include one of the 9 digits and one of the 9 "special" characters, then you have dramatically reduced the character set that will make up the final password. Two characters will be one of 10 possible values instead of one of 70. Two additional characters will be one of 26 possible characters instead of a 70 character potential character set. If you limit passwords to 8 characters, you are left with only 7 characters having the full set of 70 potential values.
With these character restrictions in place, there are 1.6 x1012 possible passwords. Without these special character restrictions, but allowing numbers and special characters, you get a total of 5.76x1014 possible passwords. Even if you only allowed upper and lower case characters, you will still have 2.18X1014 passwords.
You can do the math any number of ways, requiring special characters will always weaken passwords.
Now imagine the number of passwords when you require more than 8 characters.
If you are responsible for defining complexity rules, I urge you to take these guidelines into account. What other guidelines do you follow?