Oh, but if that was possible. About half of password protected sites require password changes every XX months or whenever an event such as a failed login occurs. The result is people carrying around devices with password lists on them. Disaster waiting to happen.
The counter argument is that a password is not considered “strong” until the time it takes to break the password (called cracking) via brute force, exceeds the change window.
For example:
An 8 character NTLM (windows) password has a maximum brute force test of 6.6 quadrillion combinations. Since I work in security and as a pen tester, I have built a cracking server that can go through that entire space is less than 15 hours.
That is assuming the worst case scenario. In reality, users are creatures of habit and often use easily guessed passwords. I have compiled a list of over 2 Billion passwords by assembling hundreds of password lists from the dark web. Very often when I test a client’s Active Directory account, I find about 20% of the passwords are contained in this list. I recently tested a regional financial institution and was able to test their ~2,000 accounts against the 2 billion passwords in about 5 minutes of computer time.
In reality, most users only use upper case, lower case, numbers and keyboard special characters. Adding these up (24 + 24 + 10 + 30) means that the key space is not the full 95 possible but rather 88. So an 8 character password is 88^8 in total size. In reality, it is only about 3.5 quadrillion tests that need to be made.
In essence, it now requires a 10 character password to qualify as “strong”. That would take my cracking server about 6.7 years to go through the entire keyspace. That is well outside the 90 day window for changing the password.
That is why I am telling my customers to adopt a pass PHRASE, instead of a password.