Create a secure password you can actually remember
(Last updated on February 6, 2020)
A strong password is long and complex. Adding spaces, upper case, and special characters make it harder to crack.
But if you take user behavior into consideration, it is unrealistic to expect them to create and remember long passwords made up of random characters. Most users use dictionary words as the root to their complex passwords. If they follow common conventions, capitalized first letter, number or special character at the end, their passwords are quite simple and easy to crack.
Since it’s difficult to guarantee password complexity, what should be your best approach? Length! Consider a basic password with only one lowercase letter “a,” the attacker would have 26 possibilities to guess from A to Z. Now increase the password length to two characters, the attacker would have to go through 676 possibilities. If you increase the password length to three characters, there is going to be 17576 possibilities. As you increase the password length, you’re not just doubling the complexity, you are making the calculation exponentially harder.
However, with most password policies requiring three or more character types, it can be a headache to create long password that meets the policy requirement. When you finally create a password that meets the requirement such as “w23ge90!x5b%ER,” you realize there’s no way you can remember it by heart. What if you create something like this “T@morr@w I leave for Disneyland!”? It’s longer than the previous password, it includes more special characters and it’s extremely easy to remember. That’s what we call passphrases – easily memorable phrases rather than cryptic series of letters, numbers, and symbols.
Specops Password Policy now supports passphrases. This gives administrators the flexibility to not force complexity requirements when a passphrase is more than a minimum character length, for example 14 characters. That way, you allow users to not only create a secure but easy to remember password so they never have to resort to insecure ways to memorize their passwords.