Why password complexity is so important.

My number one annoyance is software and websites that force password changes every x number of days, but then allow you to use a totally insecure password.  The concept is seriously flawed and puts everyone at risk.  The thought is that if you make people change their password, you reduce the possibility of being hacked.  A good thought, but if you allow simple passwords, then you better make your users change their passwords every couple of minutes.

Don’t get me wrong, I am all for security.  It is important that we all take our online security serious.  But why would you put up a facade of security, pretending to protect your users (aka customers), when in reality all you are doing is inconveniencing them?

According to this article, “the top 10,000 passwords are used by 98.8% of all users”.  Yes that number is 10,000!  The list is scary.  All of the passwords on this list can be cracked in a matter of minutes with simple password cracking tools freely available on the Internet.

The problem is that people hate to be inconvenienced.  I’m at the top of the list!  So in order to avoid the conflict, yet still be able to secure their networks, network administrators have taken an attitude of compromise.  This attitude, while well intentioned, puts the user at a higher risk than if the network administrator had simply enforced a policy that required their users to create hard to crack passwords.

It is better to try and educate your users as to why you are forcing complex passwords, you can still inconvenience them with forced changes every 45 days (or hours, if you prefer), but if they are using complex passwords, then this practice is not truly necessary.  Your users may not like this at first, but once they understand why and that your sole intention is to protect them, they usually calm down and comply.

A really good tool for testing your own passwords can be found at https://howsecureismypassword.net/.  I use this site because it uses SSL encryption and asks for no other information when checking your password.  I would still recommend using your browser’s private browsing feature and deleting any cookies left by this site when you are done.

There are numerous articles on how to create a strong password.  I’m not going to create another.  Just do yourself and the rest of us a favor, create a strong password and we will all be better off for it!  If you believe your password may have been compromised, change it!  And use something totally different, adding another number to the end does not make it any better.

Stay safe out there!