Since most users also use dictionary words as the root to their “complex” password, and follow other common conventions (capitalized letters are at the beginning, numbers are at the end), a simple hybrid attack will break most of them in less than a day. Trust me, I know -- I do it for a living.
Quate from Roger A. Grimes*
The importance of longer password length
THE conventional thinking is that the additional complexity presents such an increased workload for the hacker that complexity is the holy grail of password hacking prevention. After all, conventional wisdom says that all the good Web sites require complexity. Heck, a Microsoft Windows log-on password requires complexity. Every new password creation advice on complexity - but gives scant consideration to the equal (or better) importance of longer password length.
They're all wrong! Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords.
For everyone using six- to nine-character passwords with “complexity,” I appreciate it. I get paid to break in to systems for a living, and you make my job easier.
Strength is provided by increasing the number of possible passwords the attacker has to guess (let’s call this the keyspace even though it really isn’t appropriate in this context). The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.
But conventional wisdom will have you believe that increasing complexity forces the password attacker to use significantly more possible characters in their attack. In the X^L formula example, forcing the use of capitalized letters requires the value of X to go from 26 for all possible lower case letters to 52 for both upper case and lower case letters. And if you include nonalphanumeric characters, X goes up to 94 to support all the normal single characters you can type on a 101 keyboard. Windows will allow you to use any Unicode character, which includes upwards of 65,000 different symbols.
Of course, most people only use the 94 standard keyboard keys. And if people actually evenly used the 94 characters of potential complexity, short passwords would be uncrackable, because 94^8 = 6,095,689,385,410,816 possible passwords -- which is uncrackable using anything known today or in the near future.
when trying to increase the strength of your passwords, my advice is to consider length as much or more than you consider complexity. For my money, length is all the protection I need. Make your admin and root passwords 15 or more characters long and forget about complexity -- at 15 characters-plus, they are all but make it nearly uncrackable.
*Roger A. Grimes is contributing editor of the InfoWorld Test Center. He also writes the Security Adviser blog.
![[shark+scam.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvtbSvrwGm2gJmEN1z32ZsJ2hwhnwO_Sft_gff8XQSDgGjplhVPf09bJvxXJWVQqxwFrk4ETGgFwCtB0LCFNWKYPPaFoMtSIcS0YA19IF2bmXEEv-VrCVf6ouydab4wiv4V06s0GFwnyY/s1600/shark+scam.jpg)