Password Complexity Matters

There is an endless supply of literature on the Internet about usernames and passwords. Yet this is an immensely important topic that will always be relevant.

Tom has already written a blog post about passwords from a risk perspective so I will approach the topic from another angle and explain why the complexity of your password can make a huge difference to the overall security of your information.

However, first it is necessary to take a look at the basic mechanisms behind usernames and passwords. From a security perspective, a username is simply a form of identification. When a system is asking you for a username, it is essentially asking you to identify yourself as a user of its resources. In its basic form, this is the equivalent of someone asking you for your name. You can reply however you like. Whether they believe you or not is a different matter. This is where a password comes in. When you provide your password, you are basically authenticating yourself as the person that the provided username belongs to. Only you should know the password corresponding to your username. This is the equivalent of providing a driver’s license or a passport to confirm that you are indeed who you say you are.

Problems with passwords

Now let’s consider a common problem in the information security world – a compromised account. What I’m referring to here is the case where someone other than the intended individual has access to a specific account. This can come about in a number of ways such as:

• Willingly sharing credentials (e.g. with your colleague)
• Shoulder surfing (the attacker looks over your shoulder while you are typing your password)
• Writing a password down and storing it insecurely (e.g. on a sticky note at your desk)
• Data leak (usernames and passwords are made publicly available without authorisation)
• Brute force/dictionary attacks (the attacker guesses the password. This is done either by trying out every possible combination or going through a dictionary of commonly used passwords)

In relation to most of the points above, but specifically the brute force/dictionary attack, a more complex password can significantly improve security. This comes down to the way that this specific attack is performed. A computer is highly efficient and can test a large number of passwords in a short period of time and the more computer power dedicated to the task, the quicker the password will be correctly guessed.

As you add extra complexity elements to your password (extra characters and different types of characters) you make it increasingly difficult for a computer to be able to successfully guess your password.

Here’s a fun tool to demonstrate this concept: https://howsecureismypassword.net/. Although we don’t recommend that you enter your actual password!