Question on complex passwords

There has been some discussion within the business about whether or not to enforce passwords that contain special characters (e.g. &*$! etc) for access to a particular enterprise system. I’m not in favour.

Here’s why. If we enforce strong passwords that contain special characters then everyone will use P@55w0rd. The really clever people who will come up with an eleven character variation of their pets name or line 5 from the 4th page of their favorite novel will then either forget it by the next time time they log in or have to write it down somewhere, invariably lose the piece of paper, and then have to call the helpdesk for assistance.

We can find good guidance in multiple places for creating strong, memorable passwords so I wont go into that detail here except to say that I think it’s sensible to have a policy where passwords are enforced to contain a combination of three out of four of i) lower case letters (e.g. a-z) ii) upper case letters (e.g. A-Z) iii) numbers (e.g. 0-9) iv) special characters (e.g. !@#$%^&*()_+|~-=\‘{}[]:”;’?,./) . This website here will tell you whether or not the password you want to use is strong or not. There’s a good article here about the length of time various password lengths will theoretically take to crack.

So back to the original point of todays blog: my policy would be to allow special characters but not to enforce them. Of course, the solution to the problem must, as ever, come down to risk. For some systems we might assess the risk as being too great as not to enforce special characters. But then how do you then enforce users to remember the passwords they have set? Perhaps that comes with practice and for a small group of users then it might be practical. Have a good day! $tU@Rt &1nG

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Too many places have the contrary policy of explicitly disallowing special characters. Which makes it easier to forget the exceptions to your personal strong-password-generation rules. Not that it matters too much - keyloggers capture complex passwords as easily as 4-digit PINs. Note the time-to-crack article only applies to truly random passwords. Bruce Schneier has a great article on on real-life secure passwords.