Reply to post: Simple choices for complexity

Stop resetting your passwords, says UK govt's spy network

Phil W

Simple choices for complexity

I often hear complaints from users, both where I work and elsewhere, about how much of a pain password complexity rules are and how difficult it is to come up a new password regularly.

These complaints are annoying, not because the users don't appreciate the value of security but because using sufficiently complex passwords that are hard to guess and reasonably hard to brute force is actually not that difficult, unless you work in government or high profile business that's likely to come under a well resourced/state sponsored cyber attack you don't need a totally random sequence of numbers, letters and special characters as a password just one that moderately powered cracking won't break in a short amount of time.

You can simply construct a password out of numbers and words that have meaning to you but are not related to the system the password is for and wouldn't be immediately obvious to others.

For example the name and extension number of someone you call regularly at work, maybe your boss, might well be quite memorable giving something like Richard8417. While it would make a terrible password for work systems wouldn't be too bad for an unrelated personal email account or bank login. At work perhaps your father's date of birth and your mother's middle name giving you something like 2608Nancy.

For an extra bit of complexity throw an exclamation mark, 2608!Nancy would be relatively difficult to crack but have significant meaning to you to make it memorable and unless the person trying to crack your work account has detailed personal background information on you to help the process along this should be secure enough.

If you can remember them, post codes (zip codes) can be useful password components.

Passwords made of memorable components can be secure enough for most purposes as long as you pick ones that have no relevance to the system the password is for or better yet are quite obscure, such as the phone number/post code of somewhere you used to work 10 years ago, or your old school, house you grew up in but haven't lived at for some time etc.

This level of complexity, combined with a password lockout policy to prevent sustained brute force attacks, should be more than enough for most purposes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019