6.5 Explain password best practices.
📘CompTIA ITF+ (FC0-U61)
Password complexity refers to how difficult it is for someone else (like a hacker) to guess your password. The more complex a password is, the harder it is to crack. Complexity is one of the main factors that help keep accounts and systems safe.
1. Key Elements of Password Complexity
A complex password usually contains multiple types of characters. These include:
- Uppercase letters (A-Z)
- Example:
A, B, C - Adds variety, making passwords harder to guess.
- Example:
- Lowercase letters (a-z)
- Example:
a, b, c - Required along with uppercase letters for better complexity.
- Example:
- Numbers (0-9)
- Example:
1, 2, 3 - Including numbers increases password possibilities exponentially.
- Example:
- Special characters
- Example:
!, @, #, $, %, ^, &, * - Special characters make passwords much harder for automated tools to crack.
- Example:
- Avoiding dictionary words
- Words found in dictionaries (
apple,password) are easy for attackers to guess using “dictionary attacks.” - Instead, mix letters, numbers, and symbols.
- Words found in dictionaries (
2. Recommended Practices for Password Complexity
Here are some IT best practices for creating complex passwords:
- Length + Complexity = Security
- A longer password is generally more secure.
- For example,
P@ssw0rd2026!is stronger than justPassword1. - IT systems often require 8–12 characters minimum, but longer passwords are safer.
- Use a mix of character types
- A strong password might look like:
F3l!xT9&bQ. - This mix of letters, numbers, and symbols makes it extremely difficult for attackers to guess.
- A strong password might look like:
- Avoid predictable patterns
- Don’t use repeating letters (
aaaa1111) or sequences (123456,abcdef). - Hackers often try common patterns first.
- Don’t use repeating letters (
- Do not reuse passwords across systems
- If one system is hacked, using the same password elsewhere can compromise other accounts.
- Use passphrases with complexity
- A passphrase is a sequence of random words combined with numbers or symbols.
- Example:
Sun!T1ger#C0mp. - Easier to remember but still strong due to length and mixed characters.
3. Real IT Environment Examples
In IT environments, password complexity is often enforced by software and security policies:
- Corporate systems
- Employees must create passwords with at least 8 characters, uppercase, lowercase, numbers, and symbols.
- The system may reject passwords like
Welcome1because it’s too simple.
- Network devices (like routers or servers)
- Admin accounts require very strong passwords with high complexity to prevent unauthorized access.
- Cloud services and web applications
- Services like corporate email or file-sharing platforms enforce complexity rules automatically:
- Minimum length
- Character variety
- Regular expiration (e.g., every 90 days)
- Services like corporate email or file-sharing platforms enforce complexity rules automatically:
4. Why Complexity Matters
- Protects against brute-force attacks: Hackers use automated tools to guess passwords by trying every combination. A complex password slows them down significantly.
- Reduces risk from dictionary attacks: Avoiding real words prevents attackers from quickly finding your password.
- Compliance and security policies: Many organizations and IT standards require complex passwords to meet security rules.
5. Summary – Key Points for Exam
- Password complexity = length + character variety.
- Must include: uppercase, lowercase, numbers, special characters.
- Avoid common words, sequences, and reused passwords.
- Passphrases are a secure, memorable option.
- IT systems often enforce complexity automatically.
- Strong complex passwords reduce the risk of hacking and ensure compliance.
💡 Exam Tip:
For ITF+, when asked about password complexity, always remember to mention length, character types (upper, lower, numbers, symbols), avoiding dictionary words, and not reusing passwords. This covers the points needed for the exam.
