Archive for April 24th, 2010


Password Complexity

Passwords are always a sensitive subject.  Most people find them annoying, particularly when you bring in complexity.  Most people struggle remembering their children’s cell phone numbers and now you want them to remember something at least eight characters long comprised of upper and lowercase alphabetic, numeric and special characters?  And you want me to change it at least every 90 days?  In the immortal words of John McEnroe, “You cannot be serious?”

Complex passwords are the bane of users’ lives.  Most users need to remember on average at least three passwords, so anything you can do to make password complexity easier on users, the easier your life will be.  While I would like to take credit for this idea, it is not mine.  I attended an IP3 information security conference a number of years ago.  Ken Kousky was the instructor and passed along this idea that the more I thought about it, the more sense it made.

The premise is that most security standards require that a password be comprised of a minimum of eight characters.  Those eight characters need to include upper and lowercase alphabetic, numeric and special characters.  In addition, a lot of standards go further and require that no alphabetic, numeric or special character be repeated in the password.

Mr. Kousky said, “What if you make the first four characters something everyone in your organization knows and you leave the last four as numeric digits that your users randomly select?  Make the first set of four characters hit the upper and lowercase alphabetic and special characters requirement.  You can tape this onto everyone’s keyboards or displays because it is common knowledge.  All your users have to remember is their unique four digits.  It is no more difficult than them remembering their PIN for their ATM.”

Think about this statement for a while before you blow it off as being too easy to be true.  A lot of life’s complexity is introduced because people charge ahead without thinking things through to come up with a sane way to accomplish what was asked.  After all, the simpler you make something; the more likely people will comply with what you are asking them to do.

To be fair, there are a couple of other parameters that need to be in place in order for this concept to work.  First, you need to only allow a user three attempts to logon before you fail them.  Since you are only relying on a four digit number for uniqueness, you cannot offer more than three logon attempts without creating an environment where someone guessing a password gets too many attempts at any one time.  Next, you need to lock the account for a minimum of 60 minutes after three failed logon attempts.  Such a long timeout will frustrate and defeat most people trying a brute force password attack.  You need to force the user to call the help desk and properly identify themselves in order to get their user identifier re-enabled and their password reset if they wish to logon before the 60 minute wait time.  And finally, any password reset requires the changing of the password at the first logon.

I just wanted to share this simple yet effective way of achieving password complexity without creating a nightmare for your users.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2010