Ultimately the goal of the KU password requirements is to help users to choose better passwords. However, it is not always clear how to achieve that goal. The problem is that as creative as humans are, we are way too predictable, and thus often choose passwords that are easy to guess/break with little effort. With all of the advances in security technology, one aspect remains constant: passwords still play a central role in system security.

A good password meets the following requirements:

• Be at least 7 characters long
• Contain at least one special character (&, #, -, _, etc)
• Contain at least one uppercase and one lowercase letter
• Contain at least one digit (0-9)

A good password shall NOT:

• Be an alphabetic series, either forwards or backwards (i.e., ABCDEF or FEDCBA)
• Be a numeric series, either forwards or backwards (i.e., 123456 or 654321)
• Be a string of all identical letters or numbers (i.e., AAAAAA or 111111)
• Be a common keyboard key sequences (i.e., ASDFG or QWERTY)
• Be an easily guessed word such as your name, userid, or any variation thereof (backwards, changing case, etc.)
• Be a word(s) referring to anything noticeable about you, such as the name of your spouse, child, pet, favorite football team, or literary character
• Be a word that appears in a dictionary

[Note: A space or pipe ( | ) is not always a valid password character on many computer systems.]

Hackers have created large dictionaries of common words (often containing hundreds of thousands of words in many languages). These dictionaries are built to make guessing you password easier. This is the primary reason that using a common word, regardless of the languages it is in is a very big no-no. Believe it or not Jayhawk (and many other mascots) are in these dictionaries.

If you use a common word as your password, you might think you're protected if you replace letters of that word with numbers or symbols that look like the letters such as J4yH4wk or P@ssw0rd. Unfortunately, hackers know these tricks too.

With LM (Windows Legacy) based passwords, passwords were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. Passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion (if not complex) could usually be cracked within hours.

The Length of a password may be the most important decision you make, you'll see why below

When choosing a password the variety of characters is very important. This is to protect your account from what is called a Brute Force password attack. A Brute Force attack is where a hacker will try every possible combination of characters against your password until they get the right one. The larger the character variety (we refer to it as a character set), the more theoretically different passwords could be created. For example, if you had a 4 character password and only used lower case letters then there are 456,976 possible passwords (26^4th power). While this might sound like a lot it is possible for the common desktop computer to calculate millions of passwords per minute. Thus a more complex password is needed. The total number of possible passwords is often referred to as the total key space.

Total Possible Characters = 52
Password Length = 7 Characters
Total number of possible passwords = 1,028,071,702,528 passwords

This seems like a huge number to humans yet it's tiny to a computer. The IT Security office has proven that they can break one of these passwords in under a minute using a standard desktop PC.

Total Possible Characters = 62
Password Length = 7 Characters
Total number of possible passwords = 3,521,614,606,208 passwords

While this number is a little over three times larger it is still computationally easy for a modern desktop computer to Brute Force (try all combinations) of the password in a short period of time (in our testing often only a few minutes).

Now if one adds in just the typical special characters (those easily enterable on a standard keyboard) you gain another 33 characters.

Total Possible Characters = 95
Password Length = 7 Characters
Total number of possible passwords = 69,833,729,609,375 passwords

As you can see, by having users select a special character their passwords become almost 20 times more complex to break and thus will take much longer to guess. The goal is to have a password that is so computationally complex that hackers can't easily break it.

In the examples above we assumed that the password we were generating could only be 7 characters. In reality a password could be longer or shorter. Thus computationally speaking (for you math students out there) the equation is actually:

s^1+s^2+s^3...s^n (where s is the total number of possible characters and n is the greatest possible length of the password)

Passwords... size matters

Although any password may eventually be discovered through some means (such as through a keylogger or through social engineering), it is possible to create a password that cannot be cracked in any reasonable time. If a password is complex enough, it will take so long or require so much processing power to crack it that it is essentially the same as being unbreakable (at least for most hackers).