Anyone who has spent a fair bit of time dealing with passwords and password security knows the pain of trying to establish a good password policy. That is, one which:
- results in resistance to online and offline password-guessing attacks
- won’t cause your users to rebel and burn down the office
- maximizes the chances that your users will choose and remember a strong password
There is a great deal of guidance on this, including the NIST Electronic Authentication Guideline (pdf) that is commonly-referenced as a source for the “8 chars, mixed-case, digits, and special chars” default password policy that so many organizations establish.
But what about when you switch to passphrases? How do you set a passphrase policy that gives you same-or-better security as a good password policy?
When organizations start to consider switching from pass-words to pass-phrases—that is, authentication secrets made up of a series of words rather than simply characters—they end up either needlessly resisting passphrases or coming up with truly mind-boggling policies around them. It seems that many organizations have never ingested the reasoning behind common password guidance.
What I hope to do here is make some small progress toward fixing that situation by:
- Explaining the principles behind password policies
- Applying those principles to passphrases to create a sane passphrase policy
(This is long: if you want, you can skip to the recommendation.)
The principles behind password policies
The idea behind having a strong password policy is to make it infeasible for an ...