On Thu, Jul 30, 2009 at 1:16 PM, Charlot, Firmin<[log in to unmask]> wrote: > Hello all, > > We are re-evaluating our password requirements and wondered what others are > using on their network. > > For example: > > What is the required password length? I've been told that a minimum of 8 characters is common (3 trillion combinations of just [a-z0-9]) > > Is complexity turned on? Complexity is an odd option (windows?) We use cracklib (on linux) to run dictionary checks on user paswords when they go to change them. I woudl recommend something similar (you don't want users to choose dictionary passwords is the basic premise here). > How often do people have to change their passwords? Once a year > > Can old passwords be recycled? If so, how old must they do? Your new password cannot equal your current password; I'm not sure how useful remembering old passwords is. I imagine it would encourage a class of users to (pre/post)fix their current password with something or increment/decrement it in order to keep it easy for themselves. Certainly it seems useful to prevent users from using a small rotation of passwords; but sadly most password changing systems tend to not tell the user what passwords they have used in the past and so when it comes time to pick a new one it is a frustrating experience. Eg. They try password one, the system tells them not to use an old password. They try password two, the system tells them not to use an old password. They try password three, the system tells them the password is not complex enough. They give up and append a z to their current password (or similar). It would be nice if the UI just said. "Pick a new password, it cannot be any of your old passwords and here they are 'foo' 'blar' baz'." > > Any other requirements that you are using that are not mentioned above would > helpful as well. We have a blacklisted set of passwords that we disallow users to use. Things like the company name, the users name, the users username, and a set of random well-known default passwords we have used in the past. We have a custom check for these. > > Thanks. > > > > Firm. > > > >