Password Complexity Requirements

Okay – yet another one of my pet peeves.  I installed the Adobe CS3 web suite and had to log into the Adobe site to pull down the authorization key to get this puppy fired up.  Typical steps – enter email, set a password and…what’s this?  Adobe didn’t like my choice of passwords?

Enter the pet peeve.  I HATE it when I run into these draconian IT guys who think that they’re keeping me so much safer by enforcing the security wisdom passed down through the generations – that a good password is a "complex" password.  Ancient IT guy say password must have numbers + alpha characters + symbols.  Heck, while we’re at it, let’s throw in some Alt-character symbols while we’re at it – right?  Time for these guys to attend a SANS security class…it’s password length, not complexity, that makes it harder to brute-force your password.  Come up with a good pass-phrase of >15 characters and mis-spell some of the words.  That’ll be tough to crack and easier to remember.

So do yourself and your users a favor and quit adhering to legacy logic.  Let ’em put in whatever passwords they want and maybe force a minimum length – do away with all that "complexity" nonsense.  It just makes us have to write the passwords down and paste them to the monitor – or better yet – on a sticky note under the keyboard – nobody will EVER think to look under there ;?)

Doug White