Corcystems Demo Article

Has password complexity failed?

Increasing and enforcing password complexity was supposed to make our data more secure.

We live in a world where passwords are becoming harder for people to remember yet easier to crack. What happened?

Let’s start by looking at the rules.

What Are Password Complexity Rules?

They are rules governing the length, format, and lifespan of passwords.

Typically, these rules control


  • Password length: An 8-character password is generally considered to be the absolute minimum. There are experts who argue longer passwords (10, 12, 16, or even 20 characters) should be required. Again, this is under the assumption that it is tougher to crack a longer password.
  • Uppercase and lowercase letters: Mixing upper and lowercase letters make the password harder to crack by increasing the number of different letter combinations the attacker would have to try. For example, an 8-character uppercase password has 26^8 (the character set to the 8th power) possible combinations. A modern computer could crack this easily. Mixing upper and lower case increases the possible number of combinations to 52^8.
  • Numbers: Including numbers in passwords increases the number of possible combinations to 62^8.
  • Special characters: Special characters such as $&*!*, etc., can be used to make the password more complex.  Again, the idea behind enforcing special characters is that it prevents users from using a common word as their password, which would make them susceptible to a simple dictionary attack.
  • The number of repeating characters: Some installations limit the number of repeated characters.
  • Password reuse. Control whether passwords can be reused.



Benefits of Password Complexity Rules


We know any password can be cracked given enough time, effort, and resources – just like any bank can be robbed. The point of security is to discourage the attacker so he/she will move on to easier targets. Password complexity protects against brute force attacks.

Theoretically, the more requirements enforced, the tougher the password is to crack.  In practice, things have turned out a little differently.



The Downside 


Password complexity rules enforce this “tough to crack” requirement, but there have been unintended consequences. Password complexity has limited scalability.  We can generate longer, more complex passwords that are tough to crack, but at a certain point, it becomes too complex to be useful to users, and they will look for ways to game the system.

In fact, several organizations have found that as complexity requirements increase, users will have worse password hygiene. If you require users to incorporate numbers and special characters, they will quite often use their existing easy-to-remember password and make the same password with 1 or 2 extra characters. So, the password “IIovemyWife” would become “ILovemyWife$$”.

Complexity requirements assume no bias – that all numbers, letters, and characters have an equal chance of being used.  In other words, complexity requirements by themselves don’t assume any character bias when it comes to what the user will pick.

The reality is there is a ton of bias not accounted for. For example, in an analysis of over 3 million short passwords, the letter “e” was used 1.5 million times, 6 times more than the letter F (250,000 times). The most used number? 1.

Earlier I said there were 26^8 possible combinations for a lowercase, all alphabetic password, and that’s true – if the letters are randomly arranged. The problem is that people do not behave that way. They often do not choose randomly ordered letters for their passwords because they can be hard to remember.

Many users have turned to Leetspeak for their passwords. Leetspeak is when standard letters are replaced by numerals or special characters that look like the letters in appearance or vice-versa.  So the word leet, could become 1337.  The password ‘ilovemywife’ might become ‘|10v3myw|fe’

People also like to use patterns in passwords, like adding numbers and characters before a base word or after a base word.  For example, Ilovemywife becomes Ilovemywife01, 02, etc.


Other users will turn to keyboard walking.


The password ‘Cft6mju&’ may pass complexity rules, but really was the result of keyboard walking and is relatively easy for attackers to crack.




Patterns make it easier for hackers – especially if the same few passwords are reused and used in different places.



Is it all bad news?


First, users can be trained to use better passwords. especially important for users handling sensitive information.

Second, consider passphrases

Passphrases are another form of authorization that has begun getting press and hold a lot of promise to make our lives easier and harder for the attackers. Passcodes are currently supported by all major platforms.

Passphrases are made up of random words that are easy for a person to remember but tough for a computer to crack. For example, the passphrase “stinkbug horizon toadstool cookie” would take centuries to crack with modern computers, according to the password cracking calculator  This gives protection against brute-force attacks, but passphrases can be vulnerable to a dictionary attack.

Third, exposed password screening. The NIST recommends that organizations should consider implementing exposed passwords screening as part of their password policies to ensure that their users are not reusing passwords or passphrases that are compromised.


Fourth, consider multi-factor authentication. possibilities range from SMS text, software/hardware token generators, to smartcards.


Corcystems knows cybersecurity. We can help your business with HIPAA, NIST, PCI, FFIEC, as well as SOC and SEIM monitoring.  Our dedicated team of security professionals will keep your network and data safe 24/7.














Schedule Your FREE Strategy Session


What to Expect from your Strategy Session

This list is based on your services, service area as well as search trends. We’ll use our tools to find the most searched-for relevant keywords, and we’ll show you which of these will drive the most traffic to your website.

You’ll see exactly where your company currently ranks online for those “magic” keywords that will bring in customers.

We will give you a complete analysis of you current site/strategies, and explain what needs to be done to improve your presence online.

But Most Importantly, You Will have

Your Local Internet Marketing Domination Plan!

We'll guide you step by step on how to leverage the internet for more calls, leads, and of course profit.

We'd Love To Hear From You!

If you have any questions about our services or our company, feel free to

call us at

(844) 614-9400

or fill out the form to the right.

Be sure to check out our Social Media!

Contact Us!

I'm interested in these services:


Our Location

Market Pros International Inc.

 83 Wooster Heights Road, Suite 125 Danbury, CT 06810

We Accept

           © 2021 Market Pros International Inc.                                                                                                                                                                                                                     Contact Us          Privacy Policy