0

What would be the security implications if an organisation decided to impliment semi-complex passwords (one letter and one letter), and not fully complex. I'm thinking in terms of mobile devices and operating system functionality. If an organisation used semi complex passwords, would this have any adverse affects on IOS ? and windows phones??

Thanks,

KingJohnno
  • 1,155
  • 2
  • 11
  • 19
  • Do you mean at least a number and a letter? Two letters would not make a secure password :-). Ideally, a password should be long, have numbers, special characters, capital letters, and lowercase letters. – Jonathan Feb 10 '15 at 13:28
  • Hi Jonathon, I'm looking at this from the point of view minimum length 5 characters, and semi-complex. – KingJohnno Feb 10 '15 at 14:20

1 Answers1

0

Semi-complex passwords would be much less secure than complex passwords (but more secure than simple passwords). Ideally, a password should be long, have numbers, special characters, capital letters, and lowercase letters. Long passwords are especially to be desired because each additional letter makes the password 26 times harder to guess if only lower case characters are used. If uppercase characters are also required, this makes it 52 times harder to guess per additional character. If numbers are added, each character makes it 62 times harder to guess. Special characters increases this further.

Keep in mind that a 5 character password can be easily brute forced with modern technology and is not very secure, so you will want much longer passwords. As technology advances, even longer passwords (or other methods of security) will be required. As for the effects on mobile phones and operating systems, it depends on their implementation if adding these requirements would cause a problem, but it shouldn't. I have encountered websites that don't like special characters in passwords, for example, but this could be fixed by the site's implementation.

Another thing to consider is that long passwords on a phone are harder to enter, as pointed out by Bill Weiss in the comments. For this reason, it might be good to consider alternate authentication technologies (e.g. pin / biometric / tokens) as well. This has prompted me to ask the following question here, which may come up with better ways to authenticate than passwords: What is a good way to authenticate a user to a smart phone?

The following analysis from xkcd.com shows the value of longer vs. more complex passwords (although the example they post might be more easily cracked with a dictionary attack).

Password strength

Community
  • 1
Jonathan
  • 3,157
  • 4
  • 26
  • 42
  • 1
    You have to offset this with the difficulty of input on those mobile devices. Typing a 30 character passphrase on my phone every time I want to use it would be really aggravating. – Bill Weiss Feb 10 '15 at 14:57