ITS defines a good password as one that:
- is of reasonable length (at least 14 characters)
- has some complexity
- is memorable
- is unique from other passwords
- is not easily found
- is changed at least once a year.
Reasonable Length – Allegheny account passwords must be at least 14 characters long. We encourage them to be longer. The greater the length of a password the longer it will take for software to crack it.
For example: Consider the following estimates of how long it would take to crack a letter-only password:
- A seven-letter password is likely cracked in under a second.
- A nine-letter password is likely cracked in two minutes.
- A twelve-letter password would take roughly four weeks.
Complex – By adding complexity combining upper and lower case letters, numbers, and/or non-alphanumeric characters, the estimated time to crack increases exponentially.
For Example: consider what happens to the estimated time to crack a 12-character password when you do the following:
- Replace one letter with a number and four weeks jumps to four years.
- And then Capitalize one of the letters and now it takes 3,000 years.
- And then replace a letter with a special character and it would likely take 34,000 years.
If you add a special character (making it a 13-character password), you would be looking at three million years. Adding one more special character to make it the full fourteen raises the estimate to over 200 million years.
*estimates on time to crack come from How Secure Is My Password?
Comment
Again, length matters. Complexity matters too. Balancing complexity, length, and remember-ability is the key. If a password is long and complex, but you have to write it on a Post-it note stuck to your monitor or keyboard, its value is suspect. A memorable password is most important.