I have to admit – I love writing. It doesn’t matter if it’s a blog or a poem; writing has always been fun for me. It has a lot to do with the creative side of me, sure, but there is also a certain formula to writing that draws me in every single time. Formulas are ideal because they provide a set of guidelines to reaching a specific goal. For writing, the formula centers on sentence structure, plot and progression. You can alter the variables, but the base formula stays the same. With passwords, formulas have a paradoxical relationship: they can be a good thing or a bad thing depending on how they are used. For password complexity, the formulaic process is one that takes some getting use to – but that can also strengthen your logins way beyond what you thought possible.
Writing is fun for me because of its formula – I take something stringent and often difficult to work with and use that to my advantage. In the modern age, creating a strong password is a work of art much the same as writing a poem or short story. Password complexity helps take that artwork and uses it to secure your login like Fort Knox.
Single Sign-on and Password Complexity
SOPHOS cited a recent study done by the UK Government, which discovered that the average person has 19 passwords to remember – nineteen! With everything moving to the cloud, and data breaches becoming ever more popular, the strain to create memorable passwords is reaching such a high point that many individuals are simply negating to try.
In the same study, SOPHOS notes that 47% of the individuals surveyed admitted to using unsafe/easily cracked passwords because of their difficulty with remembering complex passwords. It’s an issue we can all relate to – and also the avenue where Single Sign-on and password complexity meet.
It’s become common understanding now that single sign-on allows you to collaborate all of your various passwords under a single login. What people tend to overlook is not the fact that this promotes convenience and ease of use – but that it also provides a strong method of increasing your overall security online.
A true single sign-on solution not only alleviates the need to remember those 19 different passwords; it allows an end user to devote more brain power to creating and remembering a single, strong and complex password that those various accounts sit behind. Those 19 or more passwords are still there, and still need to be made complex and strong, but you no longer need to remember them.
Single sign-on takes password complexity and asks – how can I make this formula work for me? By locking down the front door with an extremely strong password, as well as some secondary method of authentication, SSO promotes usable, convenient security in a day and age where those ideals seldom meet.
Password Complexity Best Practices
Before I get into the formula for a complex password (and there isn’t just one, really), it is important to see why password complexity is such a big deal. Evaluating the best practices for password complexity will shed some light on just how effective a formula can be if used correctly.
The need for effective password complexity comes from the evolution of password cracking (or guessing) capabilities. Hitachi ID Systems, Inc. has a fantastic document for Password Management Best Practices going into the 2015 year, and they reference some of the following key points.
- Increasing the length of a password as well as the character set raises the number of possible passwords exponentially (see table above).
- This also increases the difficulty that a password will be guessed.
- Require Passwords to be changed regularly.
- Password expiration interval should be no longer than 90 days.
- Old Passwords should not be allowed to be reused.
- Single Sign-on and/or Password Synchronization should be provided for end users
- Compose adequate lockout procedures for end-users
- Specify varied password policies and lockout procedures for at least one admin account.
- Encrypt passwords in storage and transit.
- Implement security augmentation
- One-time Passwords (OTPs) for verification are much stronger than basic Security Questions
- If Security Questions are used as many questions as possible should be included, and questions should be randomly chosen during authentication.
So What is the Formula?
I know – time to stop beating around the bush and get straight to the point.
What is the formula for password complexity?
Well, understanding the best practices for password complexity is actually the first step to both understanding and implementing a formulaic approach to creating a strong and substantially secure password. The second step involves properly understanding the specific alterations to the best practices that your environment demands. Every environment is a different beast, and password complexity will be directly affected by the environment and policies that are in place.
That brings us to the final sequence of steps for the complete formula – the structure of the password itself.
This aspect of the formula is largely dependent on your environment and/what you think your users will be able to tolerate. Too complex a structure and users may be unable to retain it, even if it is the only password on their brain. Too weak, and you defeat the purpose of the activity altogether.
The office of Information Technology at Princeton has a great set of guidelines for password complexity and composition on their Information Security webpage. The only caveat with this set of guidelines is the recommendation of using a passphrase as a secure password. Passphrases have one major downfall – while length does beget complexity, and familiar phrases are easy to remember, they are also easy to crack with brute force and dictionary attacks. When looking for a formulaic approach to password complexity, look to the latter half of Princeton’s set of guidelines.
- Minimum of 10 characters for length
- At least one Upper Case Letter
- At least one Lower Case Letter
- Though mixing both throughout is much more secure
- At least one Number
- At least one symbol
- Avoid whole words found in dictionaries
- Refrain from using personal or familiar information
- Avoid sequential numbers/letters
For example, if John Doe is a fan of literature and loves Edgar Allen Poe, he might choose the password: Poe$Raven45. That password meets all of the requirements above, with the one exception of using ‘raven’, a dictionary word. On the surface though, that password still looks very strong – and in some ways it is!
However, with technology making it increasingly simple to research the particular interests of an individual – an attacker would easily crack something so familiar. A better password for John Doe would be something akin to: tHeR^n1083@P. To someone who doesn’t really know what to look for, even a plaintext of that password looks confusing – but there is very little chance of guessing it, and it is still related to John Doe’s interests and realm of familiarity.
Of course, this structure will vary based on the Password Policy in place in your environment as well. Regardless, by following this formula with attention to detail and security, password complexity can help you to create a near-impenetrable front door without breaking your budget – or your brain!
There are people who come up to me and say things like, “How do you write poems like that, it’s so hard.” I always respond by telling them just how much I love writing, and how I find the structure a fun way to guide me in the right direction. I approach password complexity in much the same way. I always hated trying to come up with a strong password – until I changed the way I thought about it. That’s all it takes sometimes: change the way you think and, to quote Bill Nye, “We can change the world!”