Are you complex?

On August 19, 2005, in Security, by

Signing up for an Office Live Meeting account the other day and I was faced with ‘this’ password selection as their policy:

Complexity requirements:

    * Must contain one or more numbers
    * Must contain one or more uppercase letters
    * Must contain one or more lowercase letters
    * Contain at least one of the following special characters:
    * Cannot contain the ID
    * Must be at least 8 characters in length
    * Cannot contain a space
    * Must begin and end with a number or letter

Okay…we need a number in our password… one Uppercase… one lowercase… one special character…. can’t be the username…. no spaces [personally I like spaces and spaces are perfectly VALID parts of a password] and it has to begin AND end with a number or a letter [can’t have one of those funky characters].

So… you use anything like that? 

You know how long that would take to crack?

…a long time….


2 Responses to Are you complex?

  1. Susan…. I have to agree with everything you have written…. but….

    When you deal with multiple clients (not your own but the company you work for – and they only care about time vs profit) they don’t give a toss about this. In turn, many firms I have set up the SBS 203 solutions TIGHT have actually complained, and in turn "I" get hassle becaue the users can’t just install apps, or can’t just download some piece of rubbish from the Internet and install it.

    Now, I go back in and explain the way things are, and how their ADMINS cna do installs etc.. and they are usually ok about this, but the company I "USED" to work for…. heck, they seen this as a job being done "WRONG" and "I" would get grief for it… so you know what? many people out there who USED to work for these sort of companies.. they installed with full admin rights, blank passwords or simple surnames etc….. and why? so they coudl get forced to then next job, and then in turn make the client happy until of course…… their network was hit by a virus or someone outside came in remote due to shoddy passwords….

    And who gets the blame either way?

    No wonder I left…..

  2. says:

    You have to be just a little bit careful with password complexity requirements, though.

    Just as a password policy of "you must change your password every 10 days" leads to users using "password1", "password2", etc, effectively defeating your policy, so too a too-complex complexity policy winds up with your company building its own urban legend of "I just use my usual password with Q!1 at the end of it" – suddenly, you can guess the last three characters of everyone’s password (and the preceding characters remain the usual a-z).

    This is a password policy for external use, so you don’t have the same opportunity to educate the user – make sure you let your users know how the complexity policy protects _them_ and their accounts, and remind them that "standard passwords" or standard password components are counterproductive.