Skip to navigation Skip to main content Skip to footer

Can Password Complexity Actually Become a Security Conflict?

Do password requirements enhance or undermine security?

06 March 2023

By John Rostern

The case for password complexity

Recent, well-publicized breaches have driven conversations about strong passwords. This has brought the question of what exactly a strong password is back into focus. Conventional wisdom says a strong password is one that requires more time to crack by brute force, which has led to the evolution of ‘best practices’ related to password composition. But are these practices actually effective?

Long and complex passwords are more difficult to crack than shorter and/or less complex passwords. That’s a fact. Therefore, it is common practice to require complex passwords that are also of minimum length. This seems inherently sensible, but the implementation of password complexity requirements is counterproductive in practice.

Password strength is the product of both length and complexity expressed as the number of possible values (character set) in each position to the power of the number of possible positions (characters). For example, an 8-character password using only upper- and lower-case values would have about 53.46T (trillion) possible combinations (528).

So, it stands to reason that requiring additional characters to be included would serve to strengthen the password even further. Moreover, adding the numbers 0-9 and nine commonly allowed special characters (#, &, *, $, !, ~,^, ?, @) provides a set of 71 possible characters, which in turn creates over 645T combinations.

How long it takes to crack a password- by the numbers

The problem comes when certain characters are required as opposed to allowed. From the perspective of an attacker trying to brute force the password, requiring a certain character type reduces the potential number of combinations.

As a result:

  • An 8-character password with a 71-character set provides 645.73 trillion (T) combinations.
  • Requiring one character to be uppercase reduces the number of combinations to 236.47T.
  • Requiring one character to be uppercase and one number reduces the number of combinations to 33.3T.
  • Requiring one character to be uppercase and one number and one of nine typically allowed special characters reduces the number of combinations to 4.22T.

 

Why is this the case? If there are 71 possible characters, the possible number of characters in each position looks like this:

Table showing 71 possible characters at each position of an eight-character password.

 

Requiring one character to be uppercase looks like this:

 

Table showing 71 possible characters at positions one through seven of an eight-character password, but only 26 when requirements are made at position eight

 

Requiring one character to be upper case and one number looks like this:

Table showing 71 possible characters at positions one through six of an eight-character password, but only 10 at position seven and 26 at position eight when password requirements are made there.

 

And finally, requiring one character to be uppercase and one number and one of nine typically allowed special characters looks like this:

Table showing 71 possible characters at positions one through five of an eight-character password, but only 9 at position six, 10 at position seven, and 26 at position eight when password requirements are made there.

Consider that password strength is typically expressed as a function of the time needed to ‘crack’ a password of a predefined length assuming a consistent number of possible characters (complexity) across different length passwords. The time required to crack an 8-character password with numbers, upper and lowercase letters, and symbols is thought to be approximately 39 minutes at the time of this writing. For purposes of discussion, let’s equate that to the time required to crack the roughly 645T combinations described above.

However, since we have now reduced the number of combinations to 4.22T, this in turn reduces the effective length of the password- making it equivalent to a password between 6 and 7 characters in length. Referring to the same benchmarks, this password would require less than 31 seconds to crack.

Building better best practices for password security

The intent here is not to advocate 8-character passwords in any way. As stated above, longer and complex equals stronger. The argument here is that imposing complexity requirements reduces the effective length of the password which makes it easier/less time consuming to crack.

Here are some simple steps that would address this issue:

1. Allow the entire list of 32 special characters (~ ` ! @ # $ % ^ & * ( ) _ - + = { [ } ] | \ : ; " ' < , > . ? / ) to increase the possible character set for an 8-character password from 71 to 94. This change increases the number of possible combinations from ~645T to over 6 quadrillion.

2. Change the way that password complexity is enforced. Shift from enforcing complexity to advising users that their passwords are not appropriately complex. For example, checking password complexity and then recommending users to create more complex of longer and stronger passwords. This would no longer eliminate combinations from consideration in a brute force attack.

3. Increase the minimum password length required. Cracking even complex 8-character passwords is being reduced to a trivial exercise. It is time to move the baseline to at least 12 characters. Of course, the downside to this approach is to reduce the number of shorter passwords that must be searched, but that is offset by the extended time and effort required to actually crack the longer password.

While a ‘password-less’ future holds great promise, it remains subject to both further development and widespread adoption. Until then, passwords are here to stay as one of the most utilized available authentication factors. Strong passwords- leveraging multi-factor authentication wherever possible- will remain a critical part of cyber security for the foreseeable future.

About the author

John Rostern

John Rostern

Senior Vice President, NA Risk Management & Governance 

John leads NCC Group’s Global Cloud & Infrastructure Security Services business and the North American Governance, Risk and Controls practice. Together, these practices provide security assessment, audit, risk advisory services, security management, due diligence, and compliance to industry standards (HIPAA, PCI DSS, ISO 27k series, NIST 800, CMMC, FedRAMP etc.). 

John has more than 40 years of diverse experience, specializing in IT audits, technology risk assessments & management, IT strategic planning & governance, architecture, information security, operations, applications development, telecommunications, networking, data center design and business continuity planning. He is a highly sought after subject matter expert in the areas of data loss prevention, intrusion detection, encryption, and incident response, and has published articles on a variety of topics related to technology risk. 

Do you have password security or other identity management concerns?

NCC Group has expert consultants standing by; we're always ready to make sure the right people have the right level of access at the right time.