CNN reported yesterday that Password1 is the most common password in business environments. It’s the simplest password that meets common “complexity” requirements. It illustrates the problem with complexity requirements–a password can meet those requirements while still being extremely predictable.
As such, those passwords can be easy to guess, and they cast doubt on the entire idea of complexity.
An ideal password is at least 9 characters long and contains, at minimum, one uppercase letter, one lowercase letter, a number, and a symbol. I actually have to deal with more draconian requirements than that: At work, I have to have two of each, can’t have a dictionary word anywhere in the password, and the password has to be at least 16 characters long and sufficiently different from the last password. The definition of “sufficiently different” is much more clear to the computer system than it is to me.
I’ll admit that I have a formula for generating passwords, which expire every 45 days. Until I found a repeatable formula that worked, it sometimes took me an hour to find a password that worked. That’s why two-factor authentication like a smartcard and a PIN is effective. It’s much easier to remember a PIN and keep track of a smartcard. It’s possible to break that system too–a hijacked card reader can save the token and PIN off a smartcard, then use it to impersonate you–but it’s a lot harder to convince someone to use their smartcard in an alien system than it is to guess a password. But for that reason, if you have a smartcard, you should never, ever use it in a computer not owned by your company.