- good passwords are hard to remember, and;
- passwords you can remember are easy for attackers to guess.
- 8 characters;
- upper/lower case;
- special characters.
I have finally seen a password construction policy that makes sense. It came out from Stanford University a couple of weeks ago. There were some reports on this, but I didn't see as much coverage as this deserved.
This is the most intelligent password policy I've seen. Basically, it leverages a key fact of password construction... size matters! So, the longer the password, the few character types are required. Here is a summary:
- passwords must be at least 8 characters long;
- 8-11 characters require: upper/lower, numeric and special characters;
- 12-15 characters require: upper/lower and numeric;
- 16-19 characters require: upper and lower characters;
- 20+ characters... whatever you want!
Of course, I'm still mostly a fan of using password vaults with totally random passwords generated by the vault. I've written about vaults a number of times. My favorite is still LastPass, but KeePass is also highly rated and 1Password and PasswordSafe are also good choices.
What are your thoughts? Do you think a "sliding scale" password policy like Stanford's would play well at your organization?