I need to confess right at the start that I’ve never been a fan of adding rules to create ‘complex’ passwords. I’m talking about the type of thing where you insist that someone uses a capital letter, some numbers and a special character.
Studies show that when you do this most people create a pattern that they can remember, something like this:
- Start with a capital letter
- Numbers at the end
- Special character right at the end
In so doing we inadvertently create a set of passwords that are easier to crack, not harder.
When creating a password on a mobile device the pattern usage gets even more embedded. It’s hard enough to type a long string on a mobile device keyboard, constant switching between the various keyboard context makes it even more difficult.
Let me explain using the standard iOS keyboard:
When I want to type a password the first screen that I see is the letter view:
Entering the first character as a capital letter I click on the up arrow and then type the first part of the password.
If the capital letter is anywhere other than at the beginning I need to select the up arrow part way through the sequence which is a bit messy, so I’m not likely to do that.
The next thing I do is click on the number key to show the numeric keyboard:
I’ll then type in the numbers and I’m also likely to enter the special character at the end from the subset being shown ($!~&=#._-+@).
If I chose not to use the special character from the subset on the numeric keyboard I then have click on the special character key to see the special character keyboard:
There’s no direct route from the letter keyboard to the special character keyboard, so I’m never going to choose a special character from this keyboard in the middle of the password.
Also, experience tells me that some of the characters on the numeric keyboard don’t always work as special characters in passwords, so I use an even smaller subset.
There’s another factor, as someone who uses multiple mobile devices the variation in special characters that I’m likely to use are further reduced by the standard Android keyboard (as an example). It’s subset of special characters on the numeric keyboard is different and there are only a few common to both.
If you then layer on top of that the placement of the special characters on a full-sized keyboard you further reduce the easily available special characters. Why would you choose ~ over #?
So rather than making the password more difficult to guess the inclusion of complexity rules actually makes it easier.
For a slightly more scientific answer:
I can understand why it’s an issue, particularly when people stick to such common password: Top 500 Passwords: Is your there? It’s just that I happen to think that we would be better to just extend the length of passwords, until we get rid that is.