On Thu, Jul 30, 2009 at 1:16 PM, Charlot, Firmin<[log in to unmask]> wrote:
> Hello all,
> We are re-evaluating our password requirements and wondered what others are
> using on their network.
> For example:
> What is the required password length?
I've been told that a minimum of 8 characters is common (3 trillion
combinations of just [a-z0-9])
> Is complexity turned on?
Complexity is an odd option (windows?) We use cracklib (on linux) to
run dictionary checks on user paswords when they go to change them. I
woudl recommend something similar (you don't want users to choose
dictionary passwords is the basic premise here).
> How often do people have to change their passwords?
Once a year
> Can old passwords be recycled? If so, how old must they do?
Your new password cannot equal your current password; I'm not sure how
useful remembering old passwords is. I imagine it would encourage a
class of users to (pre/post)fix their current password with something
or increment/decrement it in order to keep it easy for themselves.
Certainly it seems useful to prevent users from using a small rotation
of passwords; but sadly most password changing systems tend to not
tell the user what passwords they have used in the past and so when it
comes time to pick a new one it is a frustrating experience.
Eg. They try password one, the system tells them not to use an old
password. They try password two, the system tells them not to use an
old password. They try password three, the system tells them the
password is not complex enough. They give up and append a z to their
current password (or similar). It would be nice if the UI just said.
"Pick a new password, it cannot be any of your old passwords and here
they are 'foo' 'blar' baz'."
> Any other requirements that you are using that are not mentioned above would
> helpful as well.
We have a blacklisted set of passwords that we disallow users to use.
Things like the company name, the users name, the users username, and
a set of random well-known default passwords we have used in the past.
We have a custom check for these.