I had to change a client password last week, and when I did I find out that they are one of those who think that using the Windows Minimum Password Complexity Requirements will help them be more secure.
I already, by default, use passwords that are secure enough to defeat a casual hacker and a dictionary attack. I use passwords that have at letters with at least one symbol (basically, SHIFT-) and at least one number. I usually don’t bother mixing case because not all password systems are case sensitive (MS SQL Server, for instance, isn’t. An usually software that I write isn’t case sensitive either).
So I tried my usual fare: &krkt6505 four easy to remember letters, an easy to remember number, and tack a symbol on the beginning. PLENTY secure.
No dice. Windows Minimum Password Complexity Rules (MPCR) says, “uh-uh – not complex enough.”
Cripes. Ok, how about adding an Upper Case. &Krkt6505.
Ok, add another symbol and an extra digit. &Krkt65052%
For crying out loud.
After a lot of trying, I find out that it requires TWO upper case letters. Now this is just dumb because it doesn’t care how many lower case letters, just so long as there are at least two upper case.
So what eventually got it?
Dig this: &AAA111
Holy cow. THAT is complex enough, but &Krzt65052% is NOT?????
I have a problem overall with password complexity. For my clients that insist on using it, I claim that they are actually LESS secure.
By making passwords THAT complex, you are almost guaranteeing that users will WRITE THEM DOWN SOMEWHERE!
And to prove it, I offer to gaurantee them that within five minutes of walking around their office, I can find one of those passwords written down somewhere.
At one of my clients, the client has mandated that the admin password be so complex that even I cannot remember it. As proof of my concept, I’m walking around with this password written down in my wallet. And to make matters much worse, it’s descriptive enough that anyone who found it would know WHO’S password it is!!!
This business of substituting certain numbers for certain letters is kinda lame because they are simple substitutions that a basic dictionary crack that took them into account would easily defeat a lot of such passwords.