Password Length >= Short/Complex

Roger at InfoWorld has been running a password-cracking contest for some time now and just recently received the first correct cracks at his first password: a 10-character password with normal complexity. The other two that have still yet to be cracked, is a 15-character password with no complexity (lowercase, one or more English words), and a 15-character (or longer) password with minor complexity containing one or more English words.

This doesn't mean that a short and complex password is easier to crack than a longer one with no complexity, though. The problem, is what we perceive as complex (meeting the requirements), is not really so. Here's why:

First, if you require an eight-character-minimum password, most users will choose an eight-character password. If you require a capital letter, they will put it at the beginning because we are trained in writing class to do that. If you require a number, most users will put the number at the end, and the number will be 1 or 2. Even though users have 94 characters to choose from on the keyboard, 80 percent of passwords will contain the same 32 characters and symbols..

In conclusion, longer passwords are better than shorter ones...

Posted by Marcin on Friday, November 10, 2006 in Security.