Skip to main content

The Complex Password Conundrum

It is interesting to note, that after three decades, penetration testing specialists, using social engineering techniques, still find the the easy to guess password to be the major weakness of corporate on-premise systems. Easy to guess meaning well-known passwords such as password or worse no password at all. In other words, in many cases, no hacking tools were required to break into the systems. What about users with slightly more interesting passwords such as rhododendron, cumpleaños (Spanish) or qu3st10n@b1e?

Users may think that substituting questionable with qu3st10n@b1e was complex, but the reality is that qu3st10n@b1e and the other two passwords would be hacked in seconds. The latest password hacking tools contain brute force algorithms, substitution algorithms, and password dictionaries in every known language, on extremely quick systems that make checking a few million possible passwords against an encrypted file very simple. In short, in spite of Office 365 and its associated applications using strong encryption, any file protected with an easily guessed/cracked password can be opened. It is the strength of the password that dictates the security and for this reason Office 365 enforces a tough logon password policy that forces all passwords to contain:

  • Eight to sixteen characters
  • A combination of uppercase and lowercase letters
  • At least one number or symbol
  • No spaces, tabs or line breaks
  • No username (i.e. the part before the @ symbol)

Although some users find the logon policy draconian, those in the security world would wish the number of characters to be a minimum of twelve not eight due to the increase in processing power which makes it possible to crack complex eight character passwords within four hours. However in spite of much documentation from Microsoft on pass phrases, complex passwords and hacking, users still find this issue difficult for several reasons:

  • They have to remember at least 5-10 passwords and pin numbers
  • They have to remember at least 5-10 new passwords every 30-90 days depending on the password change regime

It is for these reasons, users need to be taught a system that will enable them to regularly create complex, hard to crack, memorable passwords for their cloud-based and on-premise systems. For further information see Four Tips to Create Memorable Complex Passwords in Office 365.