Like most companies, our organization is concerned about security, and we've been setting policies to govern our SQL Server—authenticated passwords. Is it really all that important to choose a complex password that's "long enough" and that includes a mix of letter and number characters?

A Choosing a complex password—that is, a password that's long and includes a mix of alphabetical and numeric characters—is important because it provides a defense against the brute-force dictionary attacks that intruders use to decrypt a password. Writing a true decryption algorithm that breaks a strongly encrypted piece of data is difficult. However, an intruder can easily write an algorithm that tries various character combinations repeatedly in an endless loop until it finds a password match. Historically, such an approach wasn't practical because running the algorithm took too long, but the speed of modern PCs makes this kind of attack a real concern today.

How much protection does a complex password offer? Consider the following example, graciously provided by Morris Lewis, Web master of WinNetSecurity.com and a SQL Server Magazine contributing editor. Lewis used a basic hacking tool running on a 1.2GHz dual-processor PC to mount a dictionary attack against SQL Server passwords. Lewis cracked a 2-character password in seconds and cracked a 5-letter password in minutes. However, he was unable to crack a 14-character password after 4 days, at which point he stopped the test. The 14-character password, which used numbers, letters, and several special characters, had a total of 41 potential characters in 14 positions. (See the sidebar "Counting Characters" for an explanation of how Lewis arrived at 41 potential characters.) This combination creates 41 to the 14th power (37,929,227,194,915,558, 802,161) possible combinations.

I must have missed a crucial day of math class, because I have no idea how to even pronounce that number. However Lewis's test was able to try only 100 million of those combinations over 4 days, so it's reasonable to assume that a brute-force attack on that platform would have taken decades to succeed.

Unfortunately, most users end up writing long passwords on yellow sticky notes, defeating the intent of creating a long password in the first place, so requiring a 14-character password isn't necessarily helpful. Table 1 shows the number of password possibilities that exist as you range from 6- to 10-character passwords. The table also shows an estimated time for breaking the passwords when you use a brute-force attack and try as many as 300,000 combinations—a standard that some hacking tools claim to meet. As you can see, the difference between a 7-character password and an 8-character password is huge. So if you require passwords of at least 8 characters, you have a reasonable balance of security and practicality.

Seeing is believing when it comes to security. IT professionals often know the most secure requirements for their system but fail to implement them unless they have proof of the results. I hope Lewis's test convinces you that adding length and complexity to your passwords makes your system more secure.