Password length vs complexity
teancum144
Member Posts: 229 ■■■□□□□□□□
in Security+
Found a question similar to the following:
Which account policy control requires a user to enter a 15 character alpha-numerical password?
a) Length
b) Strength
c) Expiration
d) Complexity
Answer is 'd', but I picked 'a'. Why complexity when the requirement only specifies length and does not require different types of characters?
Which account policy control requires a user to enter a 15 character alpha-numerical password?
a) Length
b) Strength
c) Expiration
d) Complexity
Answer is 'd', but I picked 'a'. Why complexity when the requirement only specifies length and does not require different types of characters?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. 
Comments
-
JasminLandry
Member Posts: 601 ■■■□□□□□□□
It says it in the question: "alpha-numerical" means having both letters and numbers. -
Iristheangel
Mod Posts: 4,133 Mod
Complexity is correct. By requiring alpha-numerical characters, it's adding complexity to the password and making it resistant to brute force attacks -
Sharkbait
Member Posts: 35 ■■□□□□□□□□
Could someone argue that "complexity" means special characters? I can certainly see the confusion. "d" would have been a slam-dunk about 15 or 20 years ago. But as hacking has gotten better, our requirements for password complexity have gotten more rigid. Upper/lower, numeric, special.
For the question to just offer up alpha-numeric and length, I would think it falls a little short of the "complexity" bar.?
-Sharkbait- -
colemic
Member Posts: 1,569 ■■■■■■■□□□
Sure they could, but this is a cert exam (type) question. They want THEIR right answer. Specifically, they indicated length, letters and numbers - to them that constitutes a complex password.Working on: staying alive and staying employed -
teancum144
Member Posts: 229 ■■■□□□□□□□
I interpreted alpha-numeric to mean the password is limited to alpha-numeric characters, but not that at least one alpha character and at least one numeric character is required. Obviously, my interpretation is incorrect. This question tests a simple concept in a somewhat deceptive way.If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
-
colemic
Member Posts: 1,569 ■■■■■■■□□□
teancum144 wrote: »I interpreted alpha-numeric to mean the password is limited to alpha-numeric characters, but not that at least one alpha character and at least one numeric character is required. Obviously, my interpretation is incorrect. This question tests a simple concept in a somewhat deceptive way.
I don't see how you get alpha-or-numerical out of alpha-numerical. It's two different things. Since both are listed, both are required, the alpha and the numerical.Working on: staying alive and staying employed -
Sharkbait
Member Posts: 35 ■■□□□□□□□□
Sure they could, but this is a cert exam (type) question. They want THEIR right answer. Specifically, they indicated length, letters and numbers - to them that constitutes a complex password.
I totally see your point. This is where I'm TOO LITERAL for my own good. It gets me in trouble a lot outside of software development.
-Sharkbait- -
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
testingpassword is not as complex as testingpassword1...although for a good complex password having the number at the end or using a number/symbol to still spell out a dictionary word are both bad practices.Iristheangel wrote: »Complexity is correct. By requiring alpha-numerical characters, it's adding complexity to the password and making it resistant to brute force attacks -
Iristheangel
Mod Posts: 4,133 Mod
Exactly. It's adding complexity and making it resistant to brute force - Not making it impossible to brute force or foolproof against stupid people (I.e. Paris Hilton changing her phone password to "TinkerBell1")
-
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
There is a good website to calculate how long it would take to brute force your password - HowSecureIsMyPassword.net -
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
There is a good website to calculate how long it would take to brute force your password - HowSecureIsMyPassword.net
I wonder how many passwords that website has stored in it's database? -
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
It doesn't collect passwords...HowSecureIsMyPassword.net wrote:This site is for educational use. Due to limitations of the technology involved, its results cannot always be accurate. Your password will not be transferred over the internet.
-
cyberguypr
Mod Posts: 6,928 Mod
That website is not accurate. Keeps saying my password of "password" would be cracked instantly
-
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
Try "password1"cyberguypr wrote: »That website is not accurate. Keeps saying my password of "password" would be cracked instantly
-
NetworkVeteran
Member Posts: 2,338 ■■■■■■■■□□
Signs my IT's password policy is brain-dead:
I came up with a long pass phrase with digits and punctuation that would take 64 million years to crack. Problem? Apparently, there was a double-letter somewhere in the password. I gave up being thoughtful after 3 tries.
The password it actually accepted? 11 minutes.
(I actually get it. They don't care so much about 11 minutes vs. 64 million years. They're more worried about those employees who choose passwords that get an "instant" rating. Still, there has to be a better way!) -
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
I'll admit it's not perfect, I tried "Qwertyuiop" = Instantly cracked
then I tried "Qwertyuiop123" = A million years!!
it's OK for the casual user though, it guesses what you've used and gives you hints on how to make it more secure. -
NetworkVeteran
Member Posts: 2,338 ■■■■■■■■□□
What I find most fascinating is the rate---4 billion passwords per second on a desktop.
Geez. Not long ago folks cracked only millions per second! GPU cracking has really changed the landscape. -
paul78
Member Posts: 3,016 ■■■■■■■■■■
@teancum144 - I like the question. I'm not sure exactly what the question author's intent was to convey. But I have always considered password length as another variable of password complexity. I.e. A password policy's complexity would be the summation of: (a) use of case (b) use of numeric and alpha (c) password length, and (d) use of special characters.
