Thursday, 17 October 2013

Why password security requirements hand the advantage to the hackers!

Most of you will have come across a variation of this message at one point in your life:

"The password you entered doesn't meet the minimum security requirements."

Every 3 months the security policy on my work email forces me to change my password. This is understandable, but it can't be the same password as any previous passwords you have had, it has to have 8 characters or more including lower case, upper case, punctuation and at least 2 numbers

A simple password to remember could be:
'the cat walked down the road and sat down'
This is a 41 character password which would take hackers years and year to break even though it is so simple for the human mind to remember.

Of course this would not pass the security policy so this needs to be changed to:
'The cat walked d0wn the r0ad and sat down!'
This is now impossible to remember so the user has two choices:

Either write the password down somewhere totally insecure.
Or make an easier password:

This password is only 9 characters and passes the security policy tests without a problem. That said according to it would take 344 days to break this password whereas the 41 character password would take 479,245,873,413,199,200,000,000,000,000,000,000,000,000,000,000,000 years

Obviously I have no idea how to say that number out loud but it's billions of times more secure.

This is a cry for help to all systems administrators: Get rid of these ridiculous security policies. If you require a certain length password that is fine, but the rest of the policies at utter nonsense.

Please share this post if password policies have **** *** *** (annoyed you).


  1. I have been trying to convince my bosses and IT departments of this for years now. I finally went independent with my own (non-IT) consultancy, and one of the benefits is not having to comply with outdated, less-effective security policy. You and Randall Munroe need to get the message out there and save the world!! Thanks!

    1. Hi, I'm glad to hear somebody who is implementing this. What's the reaction from people when you tell them they don't need special chars and numbers - just a longer password?