Skip to content
Kashif Ali

Password complexity rules more annoying, less effective than lengthy ones

June 28, 2013 arstechnica.com

Few Internet frustrations are so familiar as the password restriction. After creating a few (dozen) logins for all our Web presences, the use of symbols, mixed cases, and numbers seems less like a security measure and more like a torture device when it comes to remembering a complex password on a little-used site. But at least that variety of characters keeps you safe, right? As it turns out, there is some contrary research that supports both how frustrating these restrictions are and suggests it’s possible that the positive effect of complexity rules on security may not be as great as long length requirements.

Let's preface this with a reminder: the conventional wisdom is that complexity trumps length every time, and this notion is overwhelmingly true. Every security expert will tell you that “Supercalifragilistic” is less secure than “gj7B!!!bhrdc.” Few password creation schemes will render any password uncrackable, but in general, length does less to guard against crackability than complexity.

A password is not immune from cracking simply by virtue of being long—44,991 passwords recovered from a dump of LinkedIn hashes last year were 16 characters or more. The research we describe below refers specifically to the effects of restrictions placed by administrators on password construction on their crackability. By no means does it suggest that a long password is, by default, more secure than a complex one.

Read 13 remaining paragraphs | Comments

    


  • password
  • phishing

Post navigation

Previous: Opera Breach – When Cybercriminals take on Targeted Attacks
Next: Hard drive-wiping malware part of new wave of threats targeting South Korea

Archives

Tags

Adobe Android anonymous Apple Biz & IT censorship Crime Cybercrime Cybersecurity Data loss data protection DDoS Exploit Facebook FBI Featured hack hacking Hacks and Cracks https intellectual property iphone Law & order Malware Mobile NEWS & INDUSTRY OS X passwords phishing politics privacy Scam Social networks Spam SSL Stuxnet Surveillance Tech The Courts The Ridiculous Twitter Uncategorized Vulnerability Windows Zero Day
Powered by WordPress | Theme: Design by obaydulla