by Joe Kuter, Field Engineer for Data Network Group.

it support Yes, you have been told by someone techy that you NEED to have a long complex password to keep someone from gaining access to your data, your bank information and your high school transcripts. So why are complex passwords better, and where is the cutoff between secure and annoying?

I’ll start with a high level explanation of how passwords work. When you submit a password, the data sent isn’t the actual password, but an encrypted version of your password, otherwise known as a hash. For example, if your password is “password”, the actual transmittal could be “FCqJo3Etwpo”. While this is somewhat secure, there are tools available that could figure out the password very quickly. These tools are available on security sites and hacker sites; they are often available for free as well. This opens the door for individuals with very little skill to easily crack your password. I won’t get into the details on how the hash can be grabbed; suffice it to say there are tools out there that make it fairly easy.

Once this hash has been obtained, the best way to crack the password is to use software that will start incrementally guessing passwords, creating a hash, and then comparing the hash to see if the password is correct. This can be done offline, meaning even if a maximum failed attempts system is in place, the attack is offline and the system will never see the guesses. Many times the software will start out with common passwords, and then increment (a, aa, aaa, aaaa, etc…)

While not much can be done to stop this sort of an attack, using a complex password makes it virtually impossible for the attack to be successful. Here’s some numbers on how long it would take to crack an 8 character password: (from http://www.lockdown.co.uk/?pg=combi)

If a password is only numbers, with an average current computer: Instantly
If the password is only lower case letters: 35 Minutes
If the password is a mix of upper and lower case: 6 Days
If the password is a mix of upper and lower case, numbers: 25 ¼ Days
If the password is a mix of upper and lower case, numbers, special characters: 2 ¼ years

So if your password is 8 characters, a mix of upper and lower case, numbers, special characters and your password is set to expire once per year, you can see it should never be cracked. The takeaway from this is, when someone (or a website) insists you use a long, complex password it is not just being done to annoy you. There is logic to the madness.