Simplifying Password Complexity

Steve Simpson CISSP

Introduction
How many passwords do you currently have to remember? I don’t know the actual
statistics but surely these days, most people must have to remember the passwords
to four or more applications or functions at any one time. Those of us that work in IT
quite often have to remember considerably more. It is for this reason that it’s the IT
community that tend to become the most complacent and end up having the worst
personal practices for selecting and employing passwords. ICT business users will (I
hope) have to remember a password for logging on to their business computer some
will have more than one account depending upon the function they are providing.
Many applications will have separate password requirements as could email
programs. Even at home where you may not have to log into your computer you
need to have passwords for each of your email accounts, accessing various websites,
bank account details configuration of your ADSL router and many others. The sad
thing is that the more passwords we have to remember the slacker we tend to
become in the way that we select and handle them.
I consider myself fortunate in that wherever I have worked there has been a good
security policy in force which mandates the use of strong passwords. I say fortunate
because this shows me that the organisations I have worked for take the security of
the information on their systems seriously and therefore gives me the confidence that
any information I store there is going to receive a good degree of protection.
However in the past I have worked as a helpdesk operator, IT support technician,
system administrator and now as a security consultant. In each of these areas I have
regularly faced resistance to the application of strong password policies. Sometimes I
have faced resistance to implementing any password controlled access at all. This
resistance has also surprised me on occasion by coming from high levels of
management within an organisation. The most common excuses for this resistance,
seems to be a belief that the more complex a password and the more often it is
changed then the more likely are the chances of forgetting the password and
therefore the more likely that the password will have to be written down, and hence
risking compromise. This is true to a certain extent, but if passwords are being easily
forgotten then it could be that some methodology in their means of selection needs to
be adopted. It is difficult to change this attitude but we can reduce the amount of
resistance through logical policy enforcement and through user education.

Appropriate Password Policy?

Is the password policy being enforced through your organisational system security
policy appropriate to the highest value of the information assets that can be accessed
using that password for access? It could be that the policy is too strict when the value
of the information assets on that system is assessed. Or it could be that the value
has been under estimated and therefore a more secure password policy may be
required. When reduced to basics, we use passwords to provide system owners with
a means of identifying individual users and if authenticated, granting them the
appropriate access authority for that system. The level of protection for an access
password though must depend upon the value of the information it is protecting.
For example: If you have an administration computer system that only contains
information about the stock and order levels of the company’s stationary cupboard
then this system is unlikely to require strong means of identification and
authentication. However if that same system also had an area that contained the
personal details of all company employees or the payroll and banking details then the
means of identification and authentication needs to be considerably stronger. The

Page 2 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

stronger the password the harder it is for a potential attacker to gain access and
therefore the greater protection you are giving the data held on the system. Even if a
user in the second example has only has a business need to access to the stationary
orders the strength of password needs to be the same as that of the CFO accessing
the payroll information. The reason being that if an attacker managed to obtain the
username and password of the stationary clerk then they could use this as a starting
point to breach the system border and launch their attempt to gain access to the
CFOs data. This is an example but it demonstrates the underlying theory for
employing an appropriate level of password strength across the enterprise.
This is of course a greatly simplified example avoiding such topics as the
mathematical calculation of password space, the use of cryptographic algorithms,
hashing and salting. Specialist advice should be sought on these topics if the
information assets that you are protecting have extreme sensitivity or where national
security is concerned.

Complexity Issues
When a new system is introduced or security on an existing system is increased due
to the introduction of more sensitive information assets, then the change in ‘user
culture’ must be carefully managed. A project introducing a new system can be
doomed to failure if the users resist so much that the new system does not used to its
full potential and therefore does not bring the business benefits promised in the
business plan or PID.
If we have assessed the level of authentication and identification appropriate to the
system then to reduce the resistance for having complex passwords, all users need
to have a degree of awareness for the reasoning behind it. It is best practice (and
mandatory for compliance with some governance standards) for all users of business
system to receive at least annually some form of security awareness training. This
training should include good factual explanations for the need for the password policy
being implemented. Training needs to include an explanation of the ways that
attackers can discover weak passwords, through such means as dictionary attacks
and social engineering techniques. However in addition to this what can really make
a difference is to explain to a user how they can generate strong passwords that are
relatively easy for them to remember. There are many ways that this can be achieved
but my personal favourites include those listed below:
There are four types of character that can be included in a complex password:
 Lower case alphabetical characters (abc etc)
 Upper case alphabetical characters (ABC etc)
 Numbers (0123456789)
 Special characters (!@#$%^&*()_+[]\{}|;’:”,./<>?) (Although it must be noted
that not all systems will accept all of these characters, advice on this may need to
be sought from your helpdesk or local support).
Common implementations of complexity requirements may require that at least two
or three of the four types of character listed above to be necessary in a password for
it to be compliant with policy. Whether it is heeded or not, the majority of system
users will be aware that passwords should not consist of words, numbers or phrases
that could be linked or be directly attributable to them. So names and birthdays etc
are normally out of the question (taboo). However there are a few techniques shown

Page 3 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

below that can be employed which make passwords relatively complex but at the
same time keeping them simple enough to remember.

Randomising capitals – This allows two of the complexity character types to be

used in a password so that the plain dictionary password widgets could become
wIdGeTs or WidGETs. A single 7 letter word has (by my weak math standard) just
developed a maximum of 128 password combination possibilities. Whilst it is not
good practice to say so, this complexity could mean that even when a password has
been poorly chosen (in that it is a word or number that can be directly linked or
attributed to the user), it is not going to be simple for an attacker guess correctly
within the number of attempts permitted in policy.

Character/number substitution – Again using two of the complexity character types,

this involves replacing alphabetical characters with similar looking numbers or
charicters so the letters I or L (in lower or upper case) could be substituted with the
number 1, the letter o can be substituted with the number 0, the letter g can be
replaced with the number 8 and so on. Now the same dictionary password widgets
can be made more complex to become w1d8ets or other combinations.

Randomising capitols and character/number substitution combination – This

employs three of the four complexity character types and therefore greatly increases
the complexity of the password and takes the possible password combinations way
beyond my mathematics capabilities (not least because no one can know how you
will interpret numbers looking like letters etc). Our example of widget as a password
could now become w1d8ETs or W1dgeTs or many others.

Special character substitution – To include the fourth complexity character type we

can substitute letters or numbers for any of the special characters found by holding
the shift key down on your keyboard. If your chosen password is a number then you
can easily hold the shift key down while typing one or more of the numbers to make it
much more complex so the password 1234567 could become !@#4567 or 123$%67
and once again a 7 character password has gained instant complexity. You can also
take special characters that look like numbers or letters and place them in your
passwords in a similar way that we did with numbers and letters. So the letters I or L
could be substituted for the special character ! or the letter o or number 0 could be
replaced with the special character @ or the number 7 could be replaced with ?.
These can be of course all be combined to good effect so that the original password
of widgets can become w!d8tS which utilises all 4 complexity character types in a 7
character password that is not much harder to remember than the original word
‘widgets’. Suddenly the taboo passwords mentioned earlier have new connotations
that can make them acceptable in some cases.

Simplification Tips
These are all good techniques that can be used to obfuscate a known word or
number but these may still only be acceptable on a system where the requirement is
for minimum to moderate access security. Systems that require stronger or longer
passwords (or even passphrases) bring with them more difficult choices when it
comes to selecting the starting password. At the most extreme end of my personal

Page 4 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

experience I have seen a system where the minimum password length was 15
characters with 3 out of the 4 complexity types needed. For selecting memorable
passwords for these systems I use the following technique.
For this method you need to select a baseline sentence or line that is familiar and
memorable to you. Suggestions for this could be a favourite line from a song or poem
or a phrase or saying. For the purposes of this explanation though, I shall use the
well known test sentence:
‘the quick brown fox jumps over the lazy dog’
From this staring base there are many options that you can select from, depending
upon the required password length. By taking the first letter from each word we
instantly have a 9 character password tqbfjotld that is easy to remember but difficult
to guess. Alternatively by taking the first two letters from each of the words we have a
memorable 18 character password thqubrfojuovthlado. By taking the first 3 letters
from each of the first 4 words we have the 12 character memorable password
thequibrofox. For those that want to be really cryptic you can alter the number of
letters selected from each word such as theqbrofjumotheldog, or take the last letter
from each word to make eknxsreyg. The possibilities are almost endless and I am
sure you have already realised that these long but memorable passwords can be
made even more secure and complex when combined with the obfuscation and
substitution techniques covered in previous paragraphs.

Conclusion
However you choose to select your password, there are a couple of tips that makes
remembering a password somewhat easier.
 On the day that you come in to work and discover that you have to change
your password, do not do it immediately. Take a little time to consider the
complexity options shown here but above all make sure that the base word or
phrase that you select is one that you know you will remember.
 Then after you have changed you password, log off every hour or so
throughout the day and re-input the new password. It can be a bit of a pain to
do, but our brains work well with remembering things that we do repeatedly
and this will greatly assist you in remembering your new password the next
time you try to log on.
There will always be users fighting to resist change, but I am sure that the majority
users will accept the changes more readily, when an understandable justification for
the need for password complexity is given, and when provided with the knowledge
allowing them to create complex yet memorable passwords.

Page 5 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

 Page intentionally blank

Page 6 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored,
vender neutral information security business advisory services. Services include:

 Data Loss Assessments – Data loss is a serious concern for all

organisations. Many organisations each year never manage to recover
from a security breach. Infosec Plus can provide you with assurance
through a holistic review of your business policies, processes and
procedures to establish where you may be susceptible to data loss
allowing you to establish where you may be susceptible to dat loss
allowing you to access the risks and apply targeted risk mitigation controls.
 Holistic Security Review – A holistic review of your organisations
information security including, technology, procedural, physical and
personnel security measures.
 Risk Assessment/Management – Assessing the risk from specific threats
will give you the ability to apply the most efficient and cost effective
security measures. The introduction of a risk management program can
considerably reduce operational costs.
 PCI Compliance Review – All organisations that store, process or transmit
credit card information must comply with the Payment Card Industries
Data Security Standard (PCI-DSS). Infosec Plus can guide you through
this process and provide you with the information you need to gain and
maintain compliance with this exacting standard.
 Security Awareness – The single most effective way to reduce data loss
and increase the security standing of your organisation is through the
introduction of a security awareness program. Infosec Plus can guide you
through the development of an awareness program and can provide one
to one or one to many training sessions to get the security message
across.
 Network Access Control – All organisations need to protect their valuable
business and personal data from the ever increasing need for system
interconnectivity. Infosec Plus can guide you through the process for
developing a Network Access Control policy that will allow day to day
business continue in the safest possible manner.
 Project Augmentation – If you are running or planning a project that needs
to include security representation, Infosec Plus can provide a consultant
to join your team providing expert security advice to ensure that the
project provides the security that your business information assets require.

Page 7 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting