Current approaches to password complexity enforcement make passwords predictable, and as a consequence, can reduce security instead of improving it. These approaches do not stand up against the current topology-based password cracking techniques. Topology-based password cracking techniques are optimized to take advantage of predictable patterns in user behavior. Organizations that require complex passwords may be inadvertently making it easier for an attacker to crack a large percentage of captured password hashes because users tend to rely on easy to remember patterns that nominally meet complexity requirements, yet introduce very little entropy, making a cracking attack possible.
Many current approaches to enterprise-wide password complexity enforcement are based on enforcement of static complexity rules based in whole or part on length, use of required character sets (e.g., at least one uppercase letter, number, punctuation, etc.), basic dictionary checking (e.g., no substrings longer than N characters can be a proper noun or found in a dictionary), and historical information (e.g., new passwords must not exactly match one in the past or in the past M changes).
For example, an organization that requires passwords to be 12 characters long, contain at least one upper alpha, at least one lower alpha, numbers, and at least one special character, may find that 20% of their employees are picking passwords such as: “Summer2013!”, “Spring2013!!”, “Winter.2013”, etc. Current behavioral-based password cracking techniques recognize these strength and complexity requirements commonly in use and exploit behavioral characteristics of users to identify weak passwords such as “F1rst.L@st” or “Foo!Bar11”. In practice, this means that passwords can be subjected to a modified brute-force cracking attack based on character class password topologies such as:                ulllsulllld        ulllldullls        ulllsullllsdddd        sulllldddd        
where ‘u’ represents an uppercase letter, ‘l’ represents a lowercase letter, ‘d’ represents a digit, and ‘s’ represents a special character. Techniques such as these make cracking a number of relatively long and/or complex passwords much more feasible. For example, the full key space for a 15-character password chosen from a character set containing 91 symbols is more than 5.3 billion times the size of the key space for a 15-character password, from the same character set, having a character class topology of “ulllsullllsdddd”. When combined with dictionary techniques, a password matching this topology can often be cracked easily. Thus, one of the most practical methods for cracking sets of long and/or complex passwords is to prioritize known topologies in descending order based on their relative probabilities with the goal of yielding a disproportionate number of cracked passwords relative to an unprioritized brute force approach.