Password length vs complexity

teancum144 · September 2013

Found a question similar to the following:

Which account policy control requires a user to enter a 15 character alpha-numerical password?
a) Length
b) Strength
c) Expiration
d) Complexity

Answer is 'd', but I picked 'a'. Why complexity when the requirement only specifies length and does not require different types of characters?

JasminLandry · September 2013

It says it in the question: "alpha-numerical" means having both letters and numbers.

Iristheangel · September 2013

Complexity is correct. By requiring alpha-numerical characters, it's adding complexity to the password and making it resistant to brute force attacks

Sharkbait · September 2013

Could someone argue that "complexity" means special characters? I can certainly see the confusion. "d" would have been a slam-dunk about 15 or 20 years ago. But as hacking has gotten better, our requirements for password complexity have gotten more rigid. Upper/lower, numeric, special.

For the question to just offer up alpha-numeric and length, I would think it falls a little short of the "complexity" bar.?

-Sharkbait-

colemic · September 2013

Sure they could, but this is a cert exam (type) question. They want THEIR right answer. Specifically, they indicated length, letters and numbers - to them that constitutes a complex password.

teancum144 · September 2013

I interpreted alpha-numeric to mean the password is limited to alpha-numeric characters, but not that at least one alpha character and at least one numeric character is required. Obviously, my interpretation is incorrect. This question tests a simple concept in a somewhat deceptive way.

colemic · September 2013

teancum144 wrote: »

I interpreted alpha-numeric to mean the password is limited to alpha-numeric characters, but not that at least one alpha character and at least one numeric character is required. Obviously, my interpretation is incorrect. This question tests a simple concept in a somewhat deceptive way.

I don't see how you get alpha-or-numerical out of alpha-numerical. It's two different things. Since both are listed, both are required, the alpha and the numerical.

Sharkbait · September 2013

colemic wrote: »

Sure they could, but this is a cert exam (type) question. They want THEIR right answer. Specifically, they indicated length, letters and numbers - to them that constitutes a complex password.

I totally see your point. This is where I'm TOO LITERAL for my own good. It gets me in trouble a lot outside of software development.

-Sharkbait-

Crikey · September 2013

Taking a cert exam is a skill in, and of, itself.

cyberguypr · September 2013

Here is a short explanation of length vs. complexity.

N2IT · September 2013

Crikey agree 100%

TechGuru80 · September 2013

Iristheangel wrote: »

Complexity is correct. By requiring alpha-numerical characters, it's adding complexity to the password and making it resistant to brute force attacks

testingpassword is not as complex as testingpassword1...although for a good complex password having the number at the end or using a number/symbol to still spell out a dictionary word are both bad practices.

Iristheangel · September 2013

Exactly. It's adding complexity and making it resistant to brute force - Not making it impossible to brute force or foolproof against stupid people (I.e. Paris Hilton changing her phone password to "TinkerBell1")

Asif Dasl · September 2013

There is a good website to calculate how long it would take to brute force your password - HowSecureIsMyPassword.net

TechGuru80 · September 2013

Asif Dasl wrote: »

There is a good website to calculate how long it would take to brute force your password - HowSecureIsMyPassword.net

I wonder how many passwords that website has stored in it's database?

Asif Dasl · September 2013

It doesn't collect passwords...

HowSecureIsMyPassword.net wrote:

This site is for educational use. Due to limitations of the technology involved, its results cannot always be accurate. Your password will not be transferred over the internet.

cyberguypr · September 2013

That website is not accurate. Keeps saying my password of "password" would be cracked instantly

Asif Dasl · September 2013

cyberguypr wrote: »

That website is not accurate. Keeps saying my password of "password" would be cracked instantly

Try "password1"

NetworkVeteran · September 2013

Signs my IT's password policy is brain-dead:

I came up with a long pass phrase with digits and punctuation that would take 64 million years to crack. Problem? Apparently, there was a double-letter somewhere in the password. I gave up being thoughtful after 3 tries.

The password it actually accepted? 11 minutes.

(I actually get it. They don't care so much about 11 minutes vs. 64 million years. They're more worried about those employees who choose passwords that get an "instant" rating. Still, there has to be a better way!)

Asif Dasl · September 2013

I'll admit it's not perfect, I tried "Qwertyuiop" = Instantly cracked

then I tried "Qwertyuiop123" = A million years!!

it's OK for the casual user though, it guesses what you've used and gives you hints on how to make it more secure.

NetworkVeteran · September 2013

What I find most fascinating is the rate---4 billion passwords per second on a desktop.

Geez. Not long ago folks cracked only millions per second! GPU cracking has really changed the landscape.

paul78 · September 2013

@teancum144 - I like the question. I'm not sure exactly what the question author's intent was to convey. But I have always considered password length as another variable of password complexity. I.e. A password policy's complexity would be the summation of: (a) use of case (b) use of numeric and alpha (c) password length, and (d) use of special characters.

Password length vs complexity

Comments