On Wed, Apr 27, 2016 at 5:08 PM, Sean Martin <[email protected]> wrote:
> A recently updated password policy has sparked some debate at %dayjob%. It
> contains some of the expected requirements:
>
> - unique per account
> - varying length requirements based on account type (domain user,
> administrative user, etc.)
> - don't include userID or personal information (birthday, phone number, SS#,
> etc.)
> - standard complexity requirements (uppercase/lowercase/numerical/special)
Fairly useful.
> ...then some additional requirements, which are raising some eyebrows:
>
> - must not contain a dictionary word
> - must not contain repetitive or sequential characters
> - must not be derived from publicly searchable internet or social media
> information (favorite sports team, names of friends or family, schools,
> restaurants, etc.)
>
> While I understand the intent, my opinion is that no typical end-user is
> going to truly understand what these requirements mean, or will simply find
> them too difficult to comply with. Our current expiration policy is 90 days.
> I believe the end users would rather deal with more frequent password changes
> than have to adhere to the above stated policy.
>
> Interested in other opinions....
>
> - Sean
The latter requirements you pointed out as raising eyebrows are -
despicable. How's that for an opinion? :)
Length trumps complexity. I would serious emphasize user education,
pointing them in the direction of passphrases, and using 16+
characters. Simple sentences with all of the usual spacing,
punctuation and capitalization are definitely strong enough, easy
enough to remember and easy enough to type - and it frankly seems to
encourage people use to longer passwords than even the 16 character
minimum, which is a big bonus.
These passphrases:
My girlfriend and I love to go swimming.
(40 characters)
or
My horse has won 27 races!
(26 characters)
Will, on average, take much longer to crack than, say:
$Gr08x^%27
(10 characters)
And they are simple (and probably faster) to type, simple to remember
and contain enough complexity
Kurt
