Strong Passwords: The Problem with Complexity
Author: HollyGraceful Published: 07 June 2021 Last Updated: 04 November 2022
Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as Welcome!, Summer2020, or Password123456.
Both NIST and the NCSC now recommend against enforcing password complexity. Additionally, the NCSC recommends that users are instead encouraged to use passphrases in the form of "three random words", such as dividemovingbadger or relationabsorbradical.
It is recommended that a minimum password length is set to encourage users to use passphrases, such as a minimum of 16 characters, but that complexity is not enforced.
For Active Directory Domains, complexity can be disabled with the following Group Policy setting:
Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy → Password must meet complexity requirements
Additionally, it is recommended that the system is configured with a block-list of known common and previously compromised passwords, such as Password123. Furthermore, consider supplying guidance to users on how to select secure passwords and the benefits of passphrases.