Recent from talks
Password policy
Knowledge base stats:
Talk channels stats:
Members stats:
Password policy
A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.
The United States Department of Commerce's National Institute of Standards and Technology (NIST) has put out two standards for password policies which have been widely followed.
From 2004, the "NIST Special Publication 800-63. Appendix A," advised people to use irregular capitalization, special characters, and at least one numeral. This was the advice that most systems followed, and was "baked into" a number of standards that businesses needed to follow.
However, in 2017 a major update changed this advice, particularly that forcing complexity and regular changes is now seen as bad practice.
The key points of these are:
NIST included a rationale for the new guidelines in its Appendix A.
Typical components of a password policy include:
Many policies require a minimum password length. Eight characters is typical but may not be appropriate. Longer passwords are almost always more secure, but some systems impose a maximum length for compatibility with legacy systems.
Hub AI
Password policy AI simulator
(@Password policy_simulator)
Password policy
A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.
The United States Department of Commerce's National Institute of Standards and Technology (NIST) has put out two standards for password policies which have been widely followed.
From 2004, the "NIST Special Publication 800-63. Appendix A," advised people to use irregular capitalization, special characters, and at least one numeral. This was the advice that most systems followed, and was "baked into" a number of standards that businesses needed to follow.
However, in 2017 a major update changed this advice, particularly that forcing complexity and regular changes is now seen as bad practice.
The key points of these are:
NIST included a rationale for the new guidelines in its Appendix A.
Typical components of a password policy include:
Many policies require a minimum password length. Eight characters is typical but may not be appropriate. Longer passwords are almost always more secure, but some systems impose a maximum length for compatibility with legacy systems.