But how do passwords have to look like to be considered secure? And who determines that? There is no authority with guidelines on the creation of secure passwords. Companies, organizations, software developers and end users all have their own definition of secure passwords.

While some may think it is sufficient to select a password with numbers in it, others demand a password with upper and lower case chars, numbers, special characters and a minimum length of 16 or more.

Defining the format of a secure password is however only one side of the medal. It does not do anything good if the software, website or service is not compatible with those settings. A website that restricts the password to a length of 10 characters without special characters would be incompatible with a secure passwords policy that requires at least 14 chars and one special character.

Generally speaking, a password becomes more secure with the length of characters it contains, and the different types of characters used.

Several companies have created online tools that give the user feedback on the complexity of the password. Is that password secure is a common search term for those services. Lets take a closer look at some of them, but before that, lets define some typical passwords that we will feed them.

password 1: password
password 2: 4wOe409r
password 3: !S8I5U39YDnt8f
password 4: E&4!74mneGrTmOJ!HIr0
password 5: DP12c*0J!dM5mfdq2r!&WmMi!#g3

Microsoft password checker: Offers a simple form field which accepts a password. The ratings go from weak to best.

check your password

password 1: weak
password 2: weak
password 3: strong
password 4: strong
password 5: best

How Secure Is My Password: Does not display a rating, but tries to estimate the time it would take to crack the password.

password 1: One of the 500 most common passwords, It would be cracked almost instantly
password 2: It would take About 252 days for a desktop PC to crack your password
password 3: It would take About 564 billion years for a desktop PC to crack your password
password 4: It would take About 100 sextillion years for a desktop PC to crack your password
password 5: It would take About 100,603,110 nonillion years for a desktop PC to crack your password

The Password Meter: Compiles a list of all characters used and rates the passwords accordingly.

password strength

password 1: Very Weak, score 7%
password 2: Very Strong, score 81%
password 3: Very Strong, score 100%
password 4: Very Strong, score 100%
password 5: Very Strong, score 100%

The three password security checkers seem to disagree on the strength of some of the passwords used. All see the first password as a weak password, but similarities end there, as the second password is considered weak by Microsoft, but very strong by Password Meter.

The question now is how you can come up with a password policy to make sure that you only use secure passwords. The answer is simple: Always use a password that comes close to the maximum length allowed. That value is highly software and site specific. Here are a few suggestions:

• Never use a password with less than 16 chars unless the site limits the maximum character length to less than that
• Always use upper and lower case characters
• Always use at least one number in the password
• Always use at least one special character in the password
• Never use dictionary words as part of the password or the password

This leads to a problem: Remembering the passwords. The easiest way is to use a password manager like Last Pass for this. Password managers can create passwords based on the user’s parameters. Last Pass users for instance only need to press Alt-G to open the password creation window in the web browser.

password creation

The password can then be copied and entered during account creation. These passwords can also be used for non-web services, and stored in the password manager for retrieval.

Password managers will automatically save passwords and accounts that have been created, so that there is no need to remember the password. Only the master password, which is the password providing access to the password manager’s database needs to be remembered.

A simpler solution is to write down the passwords locally, and either carry them with you all the time, or store them in a secure location so that third parties cannot use them to access the accounts.

Do you have a password policy? Let us know in the comments.

The free program is a limited version of the commercial software from the same developer. It requires the Microsoft .net Framework 2, the Microsoft Management Console and PowerShell. The interface of the application makes it less time consuming to configure password policies for specific user groups in Windows Server 2008. It basically centers around creating, configuring and managing password policies.

The following parameters can be defined for each password policy:

A Password Settings object (PSO) has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos settings). These settings include attributes for the following password settings:

• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Passwords must meet complexity requirements
• Store passwords using reversible encryption
• Account lockout duration
• Account lockout threshold
• Reset account lockout after

User groups can be added to newly created policies. It has to be noted that user groups cannot be empty as empty user groups cannot be added to password policies. The program displays an overview of all password policies on the computer system. The order can be changed which is important if users are members of multiple user groups.

Specops Password Policy Basic can be downloaded from the developer’s homepage.