Password complexity: best practice, tips & advice 

ramsac team members 20211019 220061.min

Creating, memorising, using, (and then updating) a complex-enough password for device logins is no easy task. When different users within a business, who might have to sign into multiple work or personal devices, attempt to log in, poor practice can become a matter of convenience. 

Committing to memorise every new iteration of a password is not always practical. We’ve entered at a moment in time where, as password complexity is encouraged, it’s often harder for humans to remember their login and easier for computers to guess their way in. This is where a business can quickly find the problem with passwords – it only takes one compromised password to lead to an alarming data breach.  

Nowadays, with so many devices and applications in operation, both at work and from home, it can be hard to monitor and regulate strong password health and best practice. With our help, you can update your approach to passwords for the better.  

What is password complexity?  

Password complexity, sometimes called password strength, is a way of measuring how difficult a password is to guess, especially against brute-force attacks.  

In many cases, for users accessing applications or devices for the first time, password complexity refers to requirements that gauge how secure it is. The greater the password complexity, the more secure the password is against guessing and similar attacks.  

In recent years, what’s known as “brute force attacks” have become increasingly common. This is a form of cyberattack where computer software is engineered to eventually guess a password correctly, often by calculating thousands of possibilities through names, words, letters, symbols, and information gathered from previous password breaches.  

ramsac team members 20211019 220152 RT.min

How are passwords discovered?  

Cyberattacks against weak passwords are an easy backdoor to your business’ data. Attackers will employ different social or technical techniques to steal passwords, which opens a vulnerability to gain unauthorised access to your data. Passwords can be discovered more easily than you might think, especially if your business doesn’t have the right cybersecurity measures in place to regulate policy and best practice.  

Techniques that attackers use to discover passwords are varied, and often require minimal to moderate technical skill to use. The National Cyber Security Centre (NCSC) advises awareness of the common kinds of attacks that could leave your passwords vulnerable, including:  

  • brute-force attacks  
  • using leaked or breached data from previous attacks to guess passwords  
  • social engineering, which involves trickery or deceit to gain information from a user (this also might include phishing)  
  • a method known as “password spraying”, which tries commonly used passwords to gain access  
  • “shoulder surfing”, where a password is guessed by watching a user type their password  
  • finding passwords written down, or stored incorrectly, such as sticky notes  
  • guessing weak passwords through gathering data about a user (such as name, or date of birth, for example) 
  • intercepting passwords, such as via a keylogger. 

Password vulnerabilities – these stats explain why you should care  

The reality of modern-day cybercrime is that it only takes one weak password to jeopardise a business’ data. That means, even if only one employee ignores your password policy or strays from best practice everyone’s data within that organisation could be compromised.  

Here’s the key stats to explain just how commonly exploited password vulnerabilities are: 

  • 89% of web application breaches came from passwords, which were either stolen or guessed through brute-force attacks (Verizon’s 2021 Data Breach Investigations Report, or DBIR)  
  • 61% of all breaches happened because of compromised credential data, where the likes of passwords enabled unauthorised system entry (DBIR 2021) 
  • Previous reports from the NCSC indicate that there have been historically (as of 2019) 23.2 million victim accounts where the password “123456” has been used.  

The benefits of password complexity  

Measuring passwords on their complexity or strength is important because this is a common area of weakness, where cybercriminals can guess or crack passwords for unauthorised access to devices and applications. Once inside, and after a user’s login credentials are compromised, your business’ data is in jeopardy.  

The theory of password complexity is to establish certain rules or ‘requirements’ that enforce best practice for password creation. This should, if correctly regulated, encourage colleagues to set up and create passwords that are unique every time. The greater the requirements, the tougher a password becomes to guess, or crack.  

Password requirements will, typically, encourage a user to create a longer passphrase, using greater combinations of letters, numbers, and characters. As a password becomes more complex, it takes longer to guess or breach. If it takes too long, this can often be enough of a deterrent to discourage an attack.  

There are, generally, two widespread misconceptions about password complexity, which are as follows:  

  1. That your device or application isn’t valuable enough for an attacker to invest their time into cracking your password.  
  1. That password complexity is all about making an impossible password that can never be guessed by an outsider.  

When creating a password, encourage employees to rethink about the goals of security and what they should be doing with their login credentials. Rather than create unguessable passwords, the goal is to make one that’s difficult enough to deter attacks – a cybercriminal will be discouraged from trying to steal passwords if they’re following strong practice.  

What are the rules for password complexity?  

There are several common rules for password complexity that are designed to encourage a user to take extra precautions in creating a stronger password.  

The common ingredients involved in password strength or complexity, include: 

  • character length  
  • use of special characters  
  • use of numbers  
  • a mix of upper and lowercase letters  
  • avoidance of personal information  
Rule  Why it matters 
Character length  The length of a password matters, and increasingly, the minimum password length is 8 characters. Many have argued that the longer the password, the harder it is to crack, guess or steal – therefore deterring attacks.   
Special characters   Special characters refer to those that are not alphabetic or numeric, but will typically still feature on most keyboards. Special characters are used to deter users from using identifiable phrases (these include !@#£%). 
Numbers / digits  Making effective use of numbers will help users create complex passwords, as it opens up more possible combinations.  
Upper / lowercase letters  Similar to using numbers or digits in your password, upper and lowercase letters can offer users even more combinations, keeping passwords safe and more secure.  
Avoidance of personal details  Personal details can be exploited, and even more easily guessed, making this a clear weakness for any employees making a new password.  

What makes a good password today?  

Passwords are easy to forget. They’re even easier for an outsider to steal if proper guidance is ignored at any stage where users are generating new passwords for device, application, or service logins.  

The problem with password complexity is that it establishes increasingly difficult parameters for password generation. This could potentially confuse the user’s memory, making logging in more difficult for the right people, not the attackers. It’s also limited to online logins and remains a vulnerable technique to the likes of social engineering or unsecure storage use.    

Recent alternatives have got cybersecurity professionals second-guessing password complexity, looking instead for new inspiration in how we can all stay safe when using passwords. This offers organisations more creative and secure ways to generate passwords that are up to the task of keeping users happy and safe online.  

Principal Technical Director, Risk Management Capability, Ian M, once suggested that #thinkrandom in the form of three random words could be an alternative to password generation that makes life a little easier for users.  

Under this theory, a user could string together any three words, making password creation more memorable.  

Let’s try it out:  

  • ‘walruscoffeecar’  
  • ‘guitarfishwall’  

But, the major rule is to avoid words with a personal association, which may be easily guessable to an outsider.  

Ultimately, password health is something determined from within your organisation. As long as you set up a policy, monitor how it’s being used, and train employees, you can remain secure.  

NCSC password guidance 

Take special care of your passwords. This is an overarching theme of the NCSC’s password guidance. Healthy practice starts with understanding the limitations of passwords and then determining what works well with your business – ensuring that all staff and colleagues are trained in it.  

Reducing organisational reliance on passwords is a great way to avoid the drawbacks of weak password security. This is because passwords are too often used unsuitably as a measure of defence, whereas biometrics, or multi-factor authentication would be far more effective.  

Challenge how you think about passwords, encouraging your business to see beyond traditional rules, like complexity requirements. The three-word password system described above is, for example, one method that can help managers rethink how they encourage better password health.  

Where you must use passwords, consider how these remain protected. Webpages, for example, should make use of authentication procedures such as HTTP access. Another method is to vet the security standards of any services you invest in, investigating what security is in place. Microsoft 365 accounts, for example, will have access to password advice and reminders, guiding strong password generation.  

Follow up on your password decisions by keeping staff informed – and updated – on policies that they should be aware of. This means training employees to understand the basics of password generation, how they can be discovered by attackers, and what they should be doing to remain safe (even in their personal lives).  

ramsac team members 20211019 220107 RT.min

How passwords affect cybersecurity 

In 2004, when he was Microsoft’s chairman, Bill Gates predicted that traditional passwords would be eventually phased out, because they cannot “meet the challenge” of security.  

According to the NCSC, there’s a widespread problem with passwords: with so many devices and applications in regular use, it’s harder than ever for users to recall large, often complex passwords. Their official guidance, which is worth remembering, advocates that every business should be focussing on two areas – “technical defences and organisational processes”.  

But, despite Bill Gates’ prediction, passwords have become more common in controlling access to our IT infrastructure, data, and services.  

There’s only so much that passwords can do for your security. Even with the best regulations in place, there’s only so much that password protection can offer your data and IT systems. For years, passwords have opened up and escalated vulnerabilities, where users have been impersonated – all because of a simple password breach.  

But that doesn’t mean your password policy shouldn’t be designed to help, rather than hinder, your layers of security.  

What are the limits of passwords?  

Passwords have become more common, according to the NCSC, because of the many services available online and the various personal devices used every day (including smartphones, tablets, and laptops).  

Passwords are a low-cost, easy-to-implement security measure that doesn’t require a lot of resources to install or monitor.  

Over time, as passwords become more complex, regulated, and expire (and, therefore, need resetting), there is an unpractical demand on users to remember and reinvent passwords time and again. This causes many well-intentioned users to create their own ways to cope with passwords, whether that’s writing them down, or reusing phrases. What happens is that user passwords become simple and predictable because it’s easier to remember.   

For managers, it’s hard to regulate user password creation strategies, which is why best practices encourage healthy password creation every time. These are often reset periodically; embrace some (or most) of password complexity requirements; and should use multi-factor authentication on device logins to add additional security layers.  

5 rules for healthier passwords  

Passwords need to be regulated within your business, ensuring that this simple login procedure doesn’t get accessed by an attacker. It helps for organisations to look into authentication more widely, but starting with a healthy approach to passwords can be the first step in securing yourself from a breach.  

#1 Update passwords periodically 

Like unpatched software, nothing can be more tempting to an attacker than an old password, especially if it has been reused. This applies to repeating passwords when it’s time to reset one; or sharing the same password between devices and applications.  

IT experts, like those at ramsac, will recommend periodically resetting passwords. This process should prompt users, after a period of time, to recreate a new password, thereby avoiding passwords expiring or becoming old.  

How often should you change your passwords?  

We advise changing your password every 3 months to avoid security risks.  

#2 Use multi-factor authentication (MFA) and alternatives  

More broadly, this tip is asking you to embrace Bill Gates’ earlier advice and distance your organisation from relying too much on traditional password protections. That’s not to suggest you can’t – or shouldn’t – be using passwords, but rather that it should be one part of your wider security measures. This guidance, which is shared by the NCSC, simply expects managers to avoid using passwords in situations where they’re not effective or relevant (or where a better alternative exists).  

Guest WiFi is an example where suitable passwords can be helpful, but for device logins, there are more secure ways of allowing users to verify their identify, including multi-factor authentication (or MFA).  

MFA is widely considered one of the most effective methods for enhancing security against a password-protected device, service, or application. An account with an MFA-enabled login requires the user to input another factor before they can fully get inside, such as code that’s texted to the user.  

Other password alternatives, include: 

  • biometric logins 
  • MFA 
  • temporary passwords  

#3 Support your users  

“Password overload” is a phenomenon where, with so many passwords to remember, users start to rely on workarounds to remember them. This is where organisations can step in with better, healthier password management solutions.  

A business can create secure storage facilities for passwords that are available privately to different users. A good, paid for, standalone password manager removes the user weaknesses usually linked to password management and removes the burden on a user’s memory, allowing them to store unique passwords securely and in-line with company policy.  

Should my devices be permitted to remember passwords?  

Password “chains” or “Keychains” are common for certain devices and for different service logins. Sometimes, a user will be prompted to allow a device to “remember” passwords on their behalf. This may appear convenient at first, but it’s worth remembering that no software is impenetrable from a breach. Don’t allow your computer, phone or web browser to remember your passwords, rely instead on a quality corporate password manager such as Password Boss. 

There is no universal rule for password safety and security, so defining this as a business should be a serious conversation that brings in best practice and policy making that works for you.  

#4 Avoid online password generators  

Techniques to generate passwords, like anonymous online generators, are not safe for effective password creation. Similar tools like password complexity checkers are also not advisable.  

These tools are more often malicious, which can deceive users into revealing personal details for the purpose of a breach. Even on social media, on platforms like Facebook, attackers are trying to gather information about different users all the time.  

User-generated passwords have the benefit of being cost-efficient, easy-to-implement and (if done correctly) unique. Machine-generated password have benefits, especially when it comes to creating unique logins. Ultimately, managers will need to be aware of the different password generation methods.  

Healthy password creation should be encouraged by understanding best practice, rather than being influenced by outside tools.  

#5 Evolve beyond password complexity rules  

The NCSC does not recommend using, or relying on, password complexity rules to generate passwords. Technical controls are more effective, but passwords should still be regulated with some rules enforcing complexity, such as a minimum character length.  

Password complexity is only the starting point in thinking about password strength and security within your organisation, ensuring that these don’t fall into the wrong hands.  

Password Boss factsheet

Protect your passwords with password boss

Password security is an area that organisations and individuals all struggle with; it is one of the largest security threats to an organisation. Find out how deploying Password Boss can protect your organisation.