Password Policy

Everyone knows about password policy: 8 or more characters, no repeats, no words, include numbers and symbols, change password every month... The trouble is that this is old advice and even if it was originally good advice it often is not now.

Threats

  1. Using guessed passwords at the login prompt
  2. Stealing passwords by shoulder-surfing or keylogging
  3. Using passwords stolen from other sites used by the same people
  4. Running password crackers against a stolen copy of the password database

A password policy adequate to defend against (1) may be woefully short of what is needed to defend against (4).

Controls

Start by reading CESG's Password Guidance

  1. Do this
  2. And this

Application

Apply this control when ...

-- AndrewFindlay - 09 May 2017
Topic revision: r1 - 09 May 2017, AndrewFindlay - This page was cached on 08 Aug 2023 - 11:14.

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback