Last week, I signed up on a new web forum. On registration, the following text popped up:

To enhance our site security, your password must be a minimum of eight characters long, contain one upper case letter, a number and a special character.

I signed up for the site, but wondered later just how much more effective this style of password was. I’ve seen that same text on multiple sites and where I work, we have the same password policy in place. I simply wanted to see how much more effective that enforced password policy was. Plus, I wanted to confirm that we were taking proper steps to protect our users.

I composed the below Excel chart over a lunch break and the results shocked me. While a “perfect” password had over six quadrillion combinations, a policy enforced password of the type described above was actually less than half as good as a purely lower case one that we’d been warned against using.

As a simple example, the entirely lower case password robocat is more than twice as effective as $5Montyz

I ran a series of combinations and found overall that passwords where content was not dictated by policy were more effective than those that were.

I had a hard time seeing the overall impact, so I added a money column as everyone can relate to cash. If a perfect password was worth $100,000 then a policy enforced password was only valued at $1.62 where an entirely lower case password was equivalent to $3.43.

Random generation of a password is the typical way to get around this. However, a password of R#<,.mL6 will only result in it being written onto a sticky note then being placed on their monitor.

To generate a password of reasonable effectiveness (and also being user friendly) an upper and lower case password should be used in place of a policy dictated one. Plus, a longer password or passphrase would be much better than a short one.

Using the same logic as above, the passphrase    MyCatIsQuiteCute   a sixteen character upper and lower case password would be worth $46,884,649,035,711,300.

NOTE: This is by no means an exhaustive analysis. This is a oversimplified demonstration based purely on the mathematical number of possible combinations. Many other factors would come into play in real life.

(Click on below image to load larger version)



Your comment will be posted after it is approved.

Leave a Reply