Posted by richard
Development | 06-09-2016
Microsoft show us how not to do password complexity
While doing some administration work (at work) on Office 365 I came across this lovely little gem of a complexity rule for Office 365 passwords -
Passwords can't contain your user ID and need to be at least 8 characters long with at least 3 of the following: upper-case letters, lower-case letters, numbers and symbols.
Now here's the thing. My standard passwords have (at least) 1 of everything listed. Upper-case? Several. Lower-case? Several. Numbers? Several. Symbols? Several. It doesn't, however, have 3 of each (obviously I'm not going to give the whole game away here! I use a password rotation of related phrases that differ for different accounts to aid in memory) Worth noting it also spits out anything
I tried longer than 16 characters.
To analyze - There's nothing wrong with Passwords can't contain your user ID
at least, but the rest? 3 upper case letters, 3 lower case letters, numbers and symbols. I thought I'd be a little more scientific and a little less judgemental and turned to the interwebs to tell me whether my normal password (part of the "Correct Horse Battery Stable" line of thought, there's always a relevant XKCD comic
) or whether my Microsoft enforced password was stronger.
According to howsecureismypassword
my own password would take ~18 quadrillion years
to crack. My Microsoft enforced password? A reasonably respectable 7 million years. Still, not even close.
gave my own password a respectable 86% (although it doesn't accept spaces as symbols) while giving my new Office 365 password a 91%. Round 2, Microsoft.
Final round, Kasperskys password checker
. My password - 10000+ centuries (Seems that's their maximum). Microsoft? A not as respectable 12 years. Worth noting that according to Kaspersky even tianhe-2 supercomputer would take close to 2 years to crack my password but they're past my Office 365 password in 2 minutes flat. Hopefully the Chinese government don't want access to my Office 365 in that case.
So, 2-1 in my favour. However
, there is one important thing to remember - I can actually remember my password
despite its complexity. Enforcing use of random symbols, number sequences or even as seen by other guilty parties, specific symbols and non-consecutive rules against things all it's doing is causing the average user to write down the password and stick it to their monitor on a post-it note. Who wins when this is the case? Not the user.