Even with smartcards, biometrics, and other multifactor authentication solutions, everyone still uses basic name/password log-on combinations. Security experts always recommend "strong passwords." But what qualifies as a strong password? And how do you avoid creating a password so strong you can't remember it?
According to NIST (National Institute of Standards and Technology), a strong password should contain no fewer than 12 characters, a rule adopted by the U.S. government in 2007 and further defined in the U.S. Government Configuration Baseline. Admin passwords should be 15 characters. Readers may sigh at those lengths, but they've been the recommended minimum for half a decade. Anything shorter is not considered secure.
Sure, many people can and do use shorter passwords. But you should be aware that as you increase the length, you provide greater protection over time. An 8-character password may be fine for a few days of protection, but a 12-character password is generally thought to be long enough to provide protection for a maximum of 90 days. A 15-character password is often considered good protection for up to a year.
The myth of complexity
Most security guidelines also insist on character complexity, which usually means that the password must contain multiple character sets, such as uppercase alphabetic characters, numbers, keyboard symbols, and so on. As I've noted in the past, however, complexity is less important than length. A password of sufficient length can defeat a password guesser or cracker, whereas complexity adds significant value only when the complexity is random or near-random.
Typically, when users are forced into complexity, they use the same types of characters in the same places. For example, when people are required to create an 8-character password with complexity, most will choose a root word in their country's language, with an uppercase first letter (usually a consonant), followed by a lowercase vowel. If they use a number, it will usually be a "1" or a "2" and placed at the end. If they use a symbol, it will usually be one of a handful of characters placed somewhere in the middle, often replacing a letter with a similar shape: an @ or a zero to replace an "o," an exclamation mark for an "i," and so on.
Password attackers know this, and their password cracking tools are optimized to guess at passwords using these patterns. Several security experts, including myself, have analyzed large dumps of captured passwords and found the password patterns I've outlined above to hold true again and again.
For complexity to add significant value, the password must be truly unique and random -- something like %Tv4$H@.<P. But if it's that ugly, people will either write it down or never remember it. Unfortunately, most security auditors and regulations (including PCI DSS) require password complexity. For example, I use a financial website with a maximum password length of six characters, but complexity is required. It makes me want to scream! I'd be much better off with a password of Dogdogdogdog or Iforeverlovedogs.