Does anyone have some “go-to” references or authorities on password policy?
I am looking to provide guidance to my company’s users on how to create better passwords, but I’m having a hard time finding any current guidelines/recommendations.
Specifically, I think I want to push people to passphrases rather than passwords, but I can’t find reliable references on what constitutes a “good” passphrase.
From NIST:
Passphrase
A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage, but is generally longer for added security.
Does your system allow you to make rules on how the passwords must be configured? Passphrase it a good idea that I should probably implement in my system.
At minimum, set pass minimum length, require Cap and lowercase, require number, require special character. And if security is a little higher, set expiration time period, and do not allow past passwords to be used. Time period can be really short but annoying, to way too long and might as well never expire. 6 months is common, 3 months tighter, 1 month would border on annoying for most users.
Password complexity and expiration actually leads to bad password practices by end users. The current best practices are to avoid these. Microsoft has a good page that summarizes everything:
If you look up “password complexity policy do more harm than good” you’ll see lots of articles online about this, which all stem from the NIST changing the guidelines to using passphrases that are just regular language phrases that are easy to remember, but hard to guess, and then just instruct end users to change there passphrases manually if there’s ever a compromise, which should never happen now if you enforce the use of a password manager like 1Password and 2FA/MFA on all accounts.
Don’t forget the classic xkcd 936:
Maybe this is stupid, but personally I use something akin to a passphrase, but I only use the first letter from each word in the phrase, and I alternate capitalization. So something like “My name is John, I was born on January 1, 1986. I love my mom” would become MnijIwbo111986Ilmm. I don’t use any real data in these phrases. Clearly my birthday isn’t 1/1/1986, and my name isn’t John. But it makes it an easy rhyme to remember and it seems to me like it gives a pretty strong password
