Strong Passwords: The Problem with Complexity

Author: HollyGraceful    Published: 07 June 2021

Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as `Welcome!`, `Summer2020`, or `Password123456`.

Both NIST and the NCSC now recommend against enforcing password complexity. Additionally, the NCSC recommends that users are instead encouraged to use passphrases in the form of "three random words", such as `dividemovingbadger` or `relationabsorbradical`.

It is recommended that a minimum password length is set to encourage users to use passphrases, such as a minimum of 16 characters, but that complexity is not enforced.

For Active Directory Domains, complexity can be disabled with the following Group Policy setting:

Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy → Password must meet complexity requirements

Additionally, it is recommended that the system is configured with a block-list of known common and previously compromised passwords, such as `Password123`. Furthermore, consider supplying guidance to users on how to select secure passwords and the benefits of passphrases.