Authentication: Passwords


Passwords.  I love them. I love them so much, I have over 150 of them.


We have our identity and we provide it to a system.  In order to prove we are who we say we are, we need to authenticate. Passwords are one method for authentication.  In theory, passwords are easy, but in practice, if we want to have some level of security, passwords are not easy.

  • Passwords are supposed to be complex.
  • Passwords are supposed to be unique across services
  • Passwords are supposed to be something you can remember

All I have to say is “Good Luck!”


Passwords often play a part in multi-factor authentication.  Passwords are the “What you know” factor. This is the easiest factor to implement, but is it very secure or easy to use?

More information on multi-factor authentication.

Password Complexity Rules

First, password complexity rules are dumb.

  • Password must be at least 8 characters but no longer than 20 characters
  • Password must contain at least 1 lower case letter and 1 upper case letter
  • Password must contain at least 1 from the following set: ! @ # $ % ^
  • Password must not contain the following: ( ) * & [ ] { } ~ `
  • Password must not contain words longer than 4 letters
  • Password must not contain 2 identical, consecutive characters
  • Password must not contain your user name, first name or last name
  • Password must not contain a number found in the first 6 digits of pi
  • Password must not contain the airspeed velocity of an unladen swallow

Most of us have seen something similar when creating a password; but, do you realize that password complexity rules actually make it easier for a computer to guess your password (brute force attack)?

Password complexity rules decrease the total number of possible passwords. For each character in our password, we have a total of 95 potential options:

  • 26 uppercase letters (ABCDEF)
  • 26 lowercase letters (abcdef)
  • 10 digits (012345)
  • 33 symbols (!@#$%^&)

If I have a 6 character password, I have a total of 735,091,890,625 possible passwords (95*95*95*95*95*95).

However, if I invoke password complexity rules forcing me to use an uppercase letter, lowercase letter, a digit and a symbol, I now only have a total of 2,013,297,000 possible passwords (26*26*10*33*95*95).

With a 6 character password, password complexity rules decreased the total number of potential passwords by 99.8%!  However, because an attacker does not know the position of the symbol, digit, upper or lower case character, complexity rules don’t impact brute force attacks, so there are still 735,091,890,625 potential passwords. 

The worst thing about password complexity rules is they make it a lot harder for me to remember my password. What password is easier to remember: “forget” or “F0rg$t”.

Plus, I’m not creative enough to come up with complex passwords that i can remember. I’d have to spend hours thinking of one, which I will immediately forget. What a waste of time.

Password Length

What if we make our passwords longer?  Longer passwords are much more effective against a brute force attack.  Without password complexity rules, the total number of possible passwords increases dramatically:

  • 6 Characters: 735,091,890,625
  • 8 Characters: 6,634,204,312,890,625
  • 10 Characters: 59,873,693,923,837,890,625
  • 15 Characters: 463,291,230,159,753,366,058,349,609,375

Longer passwords are better against brute force attacks. But by longer passwords, we need really longer passwords.  If we avoid password complexity rules, we need passwords that are longer than 8 characters because “password” is an 8 character word and we have all seen reports that the most common passwords are “password” and “12345678”.  We need longer passwords so we prevent users from using these common passwords, which are very effective in a password spraying attack (where an attacker tries a common password across every identity).

A 15 character password sounds horrible, but if you don’t include complexity rules, it is much easier to remember something like “chickenwolfmoon” than “F0rg$t”.  Plus, I can type “chickenwolfmoon” much faster than “F0rg$t”.

Password Change Rules

Many sites enforce users to change passwords every 90 days. What most users do is simply take their password and increment by 1.  After 90 days, my password will be “chickenwolfmoon1”. Then, 90 days after that it will become “chickenwolfmoon2”.

This is a very common practice, which makes you wonder if requiring users to change passwords really helps.   If I know your password and it suddenly stops working, I will just increment it by one. But, if my password is long enough, like 15 characters, what is the likelihood that it will get comprised?

The only way a password change policy is effective is if the user completely changes the password. Unfortunately, this strategy makes it hard for the user to remember the new password.


Let’s take a little quiz. Without looking

  • What 6 character, complexity-rules password did I use?
  • What 15 character password did I use?

Did you get it right? Which one was easier to remember?  My bet is the 15 character password.

Passwords are part of our identity, but they are often the weakest link. They only provide a single authentication factor. Our beliefs in complexity rules and password change policies only make it harder on the users, which is why “password” is often quoted as the most common password.  Complexity rules do more harm than good against brute force attacks and shorter passwords makes it easier for password spraying attacks.

With passwords, bigger is better.

Authentication Blog Series: 

Daniel (Follow on Twitter @djfeller)
Citrix Workspace Poster
XenApp/XenDesktop On-Prem Poster
XenApp/XenDesktop Cloud Service Poster









3 thoughts on “Authentication: Passwords”

  1. Hi Daniel,
    I think your math logic is incorrect. If I was to hack a password by brute force, I would start by trying lower case and numbers only. That would be 36^6 for 6 characters or 2,2176,782,336. So, if your password only have lower case and numbers, it would require about 2 billion tires. Now, if you are forced to use at least (more than one is allowed and no position in the sequence required) an upper case, number and symbol, you would still have to try 95^6 possibilities, because first, you do not know where they go, so you still have to try every possibility in every position (if you are hacker) and second, you can use more than 1 of each upper case and symbols. So, you might have less choices, but a brute force attack requires the same number of tries 95^6.


  2. Great article. Some other issues with mandatory changes / mandatory rules include:

    Users create one “clever” p@ssw0rd01 and use it across multiple sites (because who can remember 161 passwords?)

    Users resort to password apps & tools, which would be OK but several have been compromised themselves.

    Users get frustrated and look for ways around the system. When users are frustrated they end up bypassing well intentioned security rules and systems.

    N factor or multi-factor or whatever the popular term is could be a big help, except when the app and the multi-factor mechanism are on the same hand held device or computer. Crack one device, and you have the keys to everything.

    By the way, I caught your presentation at the Citrix Texas XL event and it was excellent.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.