Are complex passwords really necessary?
It can be difficult to enforce the use of complex passwords because they are hard to remember and therefore inconvenient, and because if they are also set to expire after a number of weeks or months that inconvenience is repeated over and over again.
So, is it worth the effort of making complex passwords mandatory?
It absolutely is.
Complex passwords will delay and discourage attempts to guess or determine your passwords through what is known as a brute force attack.
The use of complex passwords discourages password sharing between staff, which is still a common practice particularly in environments where computers are shared. When staff are sharing passwords there is no practical way to know who is using your system, and thus no way to control access or enforce policies.
We recommend that complex passwords be used, but with consideration for the staff who need to use and remember them.
We normally arrange for password complexity requirements, as well as password expiry intervals, to ensure that our customers are better protected.
A complex password should meet the following requirements:
- Is at least eight characters long.
- Does not contain your user name, real name, or company name.
- Does not contain a complete word.
- Is significantly different from previous passwords.
- Contains characters from each of the following four categories:
| Character category | Examples |
|---|---|
| Uppercase letters | A, B, C |
| Lowercase letters | a, b, c |
| Numbers | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 |
| Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces | ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? / |
