Graphical user interface containing login, password, and fingerprint

Password Complexity

Cyber threats are constantly evolving in today’s digital landscape. Password complexity is a critical aspect of cybersecurity that cannot be overlooked. Passwords are the first line of defense against unauthorized access. A password is essentially a code acting as a barrier to obtaining sensitive information from a user account. It must be strong enough to prevent unauthorized access: unique, complex, and difficult to guess. If you keep the following two rules in mind, which we explain in more detail below, you will have the best chance of having a password that an attacker cannot crack:
  • Make a password that is long(e.g., >16 characters)
  • Make a password that a person who knows you wouldn't be able to guess

Password Complexity Rules
Character Length- An 8-character password is generally the bare minimum character limit within an organization. When it comes to password length, the longer the password the better. A longer password makes it more difficult and time consuming for an attacker to crack. Most password generators require 20 or more characters, which wouldn‘t be cracked within anyone‘s lifetime.

Special Characters- Use characters that are not alphabetic or numeric, such as !@#%&*. The goal is to increase the number of characters an attacker must try, making it more difficult to compromise your password with a brute force or dictionary attack. A dictionary attack mainly focuses on a pre-made list of common alphabetic and numeric password combinations, while a brute force attack involves trying every possible combination.

Numbers- Including numbers in your password increases the number of possible combinations through which an attacker must iterate to guess your password. This also provides an increase in time consumption.

Uppercase and Lowercase Letters- Similar to numbers, combining a mix of both uppercase and lowercase letters makes a password more difficult to crack.

Making your password long (so a computer can’t crack it) and making it something not easily guessable with a mix of different characters ( so a person can’t guess it) gives you the best chance of having a password that won’t be cracked.

Hand dialing a complex password
Multi-Factor Authentcation

Multifactor Multi-Factor Authentication (MFA) is a security measure that provides an additional layer of protection for your online accounts and digital assets. It goes beyond the traditional method of relying solely on a password for authentication and introduces an extra factor that must be provided to verify your identity. By implementing MFA, you significantly enhance the security of your accounts and reduce the risk of unauthorized access, even in the event of a compromised password. Even if an attacker gets your password, they don’t have your phone (or another device providing that second factor of authentication).
Multi-factor authentication combines multiple independent factors to verify your identity. The industry standard is using at least two of the three factors:
  • Knowledge (Something you know): These factors include something you know, such as a password, passphrase, or PIN. It’s essential to choose a strong and unique password that is not easily guessable or susceptible to brute force attacks. Avoid using common words or easily identifiable personal information.
  • Possesion (Something you have): These factors involve something you have, such as a physical device or token. Common examples include a smartphone, hardware token, or smart card. These add an additional layer of security because even if an attacker gains access to your password, they would still need physical possession of the device or token to authenticate successfully.
  • Inherence (Something you are): Biometric factors include fingerprints, iris scans, facial recognition, or voice recognition. Biometrics provide a unique and difficult-to-replicate identifier.


Richard Wolford
Software Engineer


Padlock with keyhole illustrating cyber data in Pennsylvania

 Bottom Line

Creating strong and complex passwords is a crucial step in protecting our online accounts from unauthorized access. By following the best practices for password complexity and understanding the areas of attack, we can significantly enhance our security posture. It is important to remember the first step in safeguarding our digital identities starts with a strong password. Implementing these recommended practices allows us to stay one step ahead of cybercriminals.

If you would like more information or assistance in building a robust cybersecurity program, reach out to the PA Cyber Resource Center. We can provide valuable guidance and support in enhancing your online security measures to safeguard your digital presence.
Copyright © 2024 Concurrent Technologies Corporation. All rights reserved. Send comments & questions to the Webmaster.

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability status, protected veteran status, or any other characteristic protected by law.
CTC on Facebook    CTC on LinkedIn    CTC on YouTube