Password Policy
Everyone knows about password policy: 8 or more characters, no repeats, no words, include numbers and symbols, change password every month... The trouble is that this is old advice and even if it was originally good advice it often is not now.
Threats
- Using guessed passwords at the login prompt
- Stealing passwords by shoulder-surfing or keylogging
- Using passwords stolen from other sites used by the same people
- Running password crackers against a stolen copy of the password database
A password policy adequate to defend against (1) may be woefully short of what is needed to defend against (4).
Controls
Start by reading CESG's
Password Guidance
- Do this
- And this
Application
Apply this control when ...
--
AndrewFindlay - 09 May 2017