Anyone who has spent a fair bit of time dealing with passwords and password security knows the pain of trying to establish a good password policy. That is, one which:

  • results in resistance to online and offline password-guessing attacks
  • won’t cause your users to rebel and burn down the office
  • maximizes the chances that your users will choose and remember a strong password

There is a great deal of guidance on this, including the NIST Electronic Authentication Guideline (pdf) that is commonly-referenced as a source for the “8 chars, mixed-case, digits, and special chars” default password policy that so many organizations establish.

But what about when you switch to passphrases? How do you set a passphrase policy that gives you same-or-better security as a good password policy?

When organizations start to consider switching from pass-words to pass-phrases—that is, authentication secrets made up of a series of words rather than simply characters—they end up either needlessly resisting passphrases or coming up with truly mind-boggling policies around them. It seems that many organizations have never ingested the reasoning behind common password guidance.

What I hope to do here is make some small progress toward fixing that situation by:

(This is long: if you want, you can skip to the recommendation.)

The principles behind password policies

The idea behind having a strong password policy is to make it infeasible for an ...