Short complex passwords easier to crack than simple long ones

by Bharat Suneja

Infoworld columnist Roger Grimes provides some interesting information in his Security Adviser column about (short) complex passwords being easier to crack than longer “non-complex” ones. I’ve always encouraged users to use phrases or short sentences as passwords rather than sticking to the short password lengths imposed by I.T. departments, and Grimes confirms that.

Some interesting tidbits:
-Conventional wisdom says that because end-users have 94 characters to choose from on a 101-key keyboard, breaking an eight-character, complex password — out of 94^8 = 6,095,689,385,410,816 different possible passwords — is not a trivial task.

– …..if you require an eight-character-minimum password, most users will choose an eight-character password.
If you require a capital letter, they will put it at the beginning because we are trained in writing class to do that.
– If you require a number, most users will put the number at the end, and the number will be 1 or 2.

Even though users have 94 characters to choose from on the keyboard, 80 percent of passwords will contain the same 32 characters and symbols — as mentioned in my previous columns. Most passwords by English authors contain a root English word, many of which can be found in a password-cracking dictionary containing just 30,000 words.

Grimes actually ran a contest to have password hashes cracked, with interesting results. Read the entire column on

And when it’s time to implement a new password policy, think about raising the minimum character length, and going lighter on the complexity bit…. because the complexity part is what forces users to do crazy stuff like write passwords on sticky notes and paste them on monitors! :)

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: