I really wish people would stop complaining about creating passwords. All it would take is a shift in thinking. If I may be so bold, consider this, your passwords are the most important thing standing between you and anyone, in any country, doing anything you can! Reading your email, accessing your files, changing the locations of your money, etc. I submit that you should think of passwords as virtual keys to your house, would you want anyone else to have the same key to your house as you? Probably not.
Now to complexity, the most important thing when making passwords is length. Sometimes that is considered a part of complexity, sometimes not, but in reality it trumps everything. And by complexity I mean Uppercase, Lowercase, Special Characters, Numbers, etc… For example, I’d rather have a 10 character alpha password then a 6 character alphanumeric password. A Securityfocus thread in August 2007 brings up some interesting mathematics involving the ancient (NT4 sp2) passfilt.dll that M$ stubbornly refuses to update at least in a currently released OS. This dll creates the restriction that passwords must be 6 characters and contain 3 of 4 categories (upper,lower,number,special) among other things, M$ article here. The posters debate about how these M$ restrictions may actually lower the possible number of passwords a cracker would have to try as opposed to having no requirements at all. While I don’t feel comfortable, or motivated, to get into the mathematics I think a good point to remember that length trumps any argument about variation of password makeup. Although it is not commonly accepted by the army of “pay me now” government regulation auditors, and even many “old school” directory administrators. I recommend concentrating on length as opposed to only passfilt.dll restrictions. Unfortunately companies often need to be more concerned with those auditor’s blessings then InfoSec guys like me.
The problem in my opinion is about being blinded by the mathematics while ignoring common sense. Yes a 6 character alpha password has 308,915,776 possible combinations (26^6 = 308,915,776), and since it locks out after 3 attempts and 3 – 308,915,776 = impossible. But you can manipulate statistics & mathematics to prove many falsehoods, did you know 4 out of 5 people think the fifth one is an idiot? 🙂 My point is malicious users love administrators and auditors who believe such logic, because they are forgetting about the weakest link in the InfoSec world. The average user (no offense). Such logic does not apply to them because is assumes a completely random 6 character password where as users will pick anything but, can you say 123456? “That’s Amazing! I’ve got the same combination on my luggage!”
So longer is better, the next time you have to change your a password, try something like this “Wow, I loved going to Pacific Beach that 1 time” You, your data, and your company’s network will be MUCH better off.