When it comes to passwords, length is what matters

by | Nov/18/2009

Ever heard the rumor that you need upper case letters, lower case letters, symbols, and numbers in your passwords? This is called “password complexity.” If you have to keep password complexity for compliance reasons, you have no choice, but otherwise—make your life easier—just switch to passwords that are 15 characters or longer—commonly referred to as passphrases.

If you make your passphrase something like “remember to finish the security project by next month,” you can write it down on a piece of paper and stick it on your monitor. If someone sees that stuck to your monitor, they will think it is just a reminder note (which it is). Another example of a passphrase that would be hard to break is “take the family to go snow skiing in Colorado at night.” That password is much more secure than “@ppl3E5.”

Of course, if you save a file on your hard drive with all your passwords, nothing can help you if a criminal, or even a worker in your own office, finds the file.

2 Comments

  1. Norm Schwantes

    Mike,

    When I read this it reminded me of an old “blonde” joke, which isn’t so “blonde” any more…

    During a recent password audit, it was found that a blonde was using the
    following password:

    MickeyMinniePlutoHueyLouieDeweyDonaldGoofy

    When asked why such a big password, she said that it had to be at least 8
    characters long.

    Reply
  2. Mike Foster

    While length is preferably 15 characters, but Windows operating systems older than Windows Server 2003 cannot handle passwords longer than 14 characters. Windows Server 2003 and later supports passwords up to 127 characters in length. If you want to use GPO’s to enforce a passphrase of 15 characters, you will need to use a custom password filter to replace PASSFILT.DLL.

    Reply

Trackbacks/Pingbacks

  1. Five Tips for Being Safe Online and Preventing Identity Theft in 2012 - [...] if you use a unique passphrase instead of a common word, then the chance of the password being cracked…
  2. Nothing found for Blog The-linkedin-password-theft - [...] to do if someone steals your identityWhen firing an employee - involve your IT departmentWhen it comes to passwords,…
  3. The LinkedIn Password Theft | Mike Foster's IT Security and Best Practices Blog - [...] When setting passwords, make them long. Learn more about password security on this post. [...]

Submit a Comment

Your email address will not be published. Required fields are marked *