ITS defines a good password as one that:
- is of reasonable length (at least 14 characters)
- has some complexity
- is memorable
- is unique from other passwords
- is not easily found
- is changed at least once a year.
Reasonable Length – Allegheny account passwords must be at least 14 characters long. We encourage them to be longer. The greater the length of a password the longer it will take for software to crack it.
For example: Consider the following estimates of how long it would take to crack a letter-only password:
- A seven-letter password is likely cracked in under a second.
- A nine-letter password is likely cracked in two minutes.
- A twelve-letter password would take roughly four weeks.
Complex – By adding complexity combining upper and lower case letters, numbers, and/or non-alphanumeric characters, the estimated time to crack increases exponentially.
For Example: consider what happens to the estimated time to crack a 12-character password when you do the following:
- Replace one letter with a number and four weeks jumps to four years.
- And then Capitalize one of the letters and now it takes 3,000 years.
- And then replace a letter with a special character and it would likely take 34,000 years.
If you add a special character (making it a 13-character password), you would be looking at three million years. Adding one more special character to make it the full fourteen raises the estimate to over 200 million years.
CommentAgain, length matters. Complexity matters too. Balancing complexity, length, and remember-ability is the key. If a password is long and complex, but you have to write it on a Post-it note stuck to your monitor or keyboard, its value is suspect. A memorable password is most important.
*estimates on time to crack come from How Secure Is My Password?