- Kyle Rauschelbach

# Password Complexity - What Matters the Most?

The number of daily internet users is consistently increasing, which means the number of vulnerable passwords is increasing as well. As a result of users’ increased presence online, malicious attackers are looking to exploit the lack of complexity in user passwords.

When creating a new account on a website, streaming service, etc., you often see specific password requirements for length and character complexity (certain length, special characters, capitalization, etc.). While sometimes this can seem overbearing and annoying, it is important to understand that a complex password is often a more secure one.

To best explain how attackers look to exploit passwords, we have created a die scenario that we will walk through. Through this example, we will look at how the complexity and length of a “secret sequence”, can make it harder for a hacker to break into an account.

The setup begins by selecting a sequence that we must keep secret; this secret sequence will be our password. For our example, our secret sequence will be “2145”.

Using the dice shown above, it is impossible for someone rolling each one to come up with our secret sequence. No matter how many times the dice are rolled, there are simply not enough dice to match our sequence (there are 4 numbers in our secret sequence, therefore an attacker would need 4 die to guess our sequence). If our numbers were more limited, even by one die, an attacker would be able to guess our secret sequence with ease.

In scenario #2, we have added 2 new dice to the sequence. Using the same secret sequence, “2145”, the number of dice now meets the length requirement to guess our secret sequence, but the highest number on the dice is only 4. So again, no matter how many times a person rolled this set of dice, they will never be able to guess our secret sequence.

In scenario #3, we have increased the total number of dice to five and total number of sides on each die to six. This combination of the dice gives a person the chance to finally guess our secret sequence. With five dice with six sides each in total, someone randomly rolling the dice would eventually be able guess our secret sequence of “2145”.

If you wanted to add more security to your number sequence, you would want to increase the length of the overall sequence and use more numbers than just 1-6. By making these easy and simple changes, you would increase the difficulty of guessing the secret sequence immensely.

Now let’s take this example and apply it to passwords. Hackers regularly perform an attack known as a “Brute Force”, where they are attempting to guess account passwords. Hackers can use computer programs to automate this attack so they can attempt thousands of passwords in just seconds. These brute force attacks can be carried out where an attacker has the program randomly guess characters and numbers in a sequence until they obtain access to the account.

Hackers frequently use a brute force method, known as a “Dictionary Attack”. This type of attack uses common words that one would find in a dictionary, to guess an account’s password. Hackers will include numbers and special characters with these words, so the chances of them guessing your password are increased.

So, how exactly does one protect themselves from a hacker guessing their password or obtaining the password from a brute force attack? Just like in our example, we can increase the complexity of our passwords. By making simple changes to increase the complexity of your account passwords, such as using longer passwords, with more complexity in the characters (i.e. special characters, numbers, and a mixture of lower case and capitalized letters), you can reduce the risk of your account’s password being guessed by a hacker. This will protect your personal, business, or sensitive information from being stolen by hackers.

Additional contributors to this article include: Mike Harber, Brendan Kenney & Max Winterburn