password 620x412 Usability vs. Your Password Policy

What’s more important to you?

Hackers have been getting a lot of press lately. Seeming fortresses from Governments and Banks to Twitter and Facebook accounts getting stung. Hackers getting in causing havoc and leaving. It is causing many people to worry about the security of their own online assets and some people should be. However it is a problem of their own making.

Most hacking attempts that befall a normal person or small organisation will be people trying to crack your password(s) and a good password policy can give you the sort of protection to let you rest easily.

So how are they getting through?

One of the most common hacking techniques is called a brute force attack.

In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data


Essentially an automated program will run through every variation of possible passwords. For example if the hacker knew initially that your password was 8 lower case characters long, it could start at aaaaaaaa then aaaaaaab… etc. until it found your password out of the 208 billion combinations. (This password would take around 52 seconds to crack as it could run around 4 billion calculations a second).

When designing a website I always ask the organisation about their password policy and too often they haven’t got one and sometimes don’t even understand what I mean. A password policy is essentially a set of rules which encourages the user to create a password which is harder to crack. This is done either through advice or, in most cases, enforcing it.

How strong is a strong password?

The most important and easiest step in ensuring a good policy is the fundamental strength of the password. However the more complex you make a password, the harder it is to remember and the more it will put your users off. So it’s all about making a trade-off.

To make this decision easier lets run through an ever more complicated password so you can see the benefits.

Policy One: None, they choose the password table

Time to crack: 0.002970344 seconds (possible combinations 11 million)

Policy Two – minimum length: Password must be 8 – 14 Characters, they choose possibly.

Time to crack: 52 Seconds (possible combinations 208 billion)

Policy Three – add a number: Password must be 8 – 14 Characters including at least one number, they choose po5sibly.

Time to crack: 11 minutes (possible combinations 2 Trillion)

Policy Four – Add Uppercase: Password must be 8 – 14 Characters including at least one number, and use both upper and lowercase, they choose Po5sibly.

Time to crack: 15 Hours (possible combinations 218 Trillion)

Policy Five – Add Symbols: : Password must be 8 – 14 Characters including at least one number, use both upper and lowercase, and use symbols, they choose Po5$ibly.

Time to crack: 3 Days (possible combinations 1 quadrillion)

Policy Six – Greater length: : Password must include at least one number, use both upper and lowercase, use symbols, but now must by 10-14 characters long, they choose imPo5$ibly.

Time to crack: 58 years (possible combinations 7 quintillion)

Where does your security fit?

Obviously the longer and more complex you make the password the harder it is to crack. But it gets to a point where people will but put off creating an account on your website due its complexity, or forget the password they made and won’t bother seeking a new one.

On the other hand, a security breach will damage your reputation which would have an even worse effect on potential user accounts. Depending on what sort of Website you have will affect how secure a password policy you need, but make sure you have thought about it.