Hacking Passwords that Satisfy Common Password Policies

The password policies for 14 popular websites were checked and a list of passwords that satisfied the minimal requirements created for each website. 58 users then created realistic passwords that satisfied the minimal requirements. A special purpose cracking computer was built to crack these passwords using dictionary and brute-force attacks. All minimal passwords were cracked and it was found that weaker password policies produced weaker realistic passwords. It is recommended that password policies increase the minimal length to 8 characters, require a more diverse alphabet, prevent simple passwords based on repetitions and sequences, and check a database of already hacked passwords.