What makes a secure password? Can you force users to make their passwords more secure, or does doing so just result in stupid password rules.
Looking at rules and guidelines from NIST, PCI DSS, UK NCSC, Microsoft, RedHAT and Google, I unravel the rules that help make passwords secure, or that stupidly make passwords less secure.
Understand the difference between minimum password expiry age and maximum password age and why neither make your password more secure.
Transcript: Stupid password rules - Guide to making rules that make passwords secure - Video Transcript
The summary for my findings is below. See the video above for an explanation of why I suggest these.
I agree with the NIST recommendations that users should not be forced to change their password after a set time.
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
Note however that if you do handle credit card payments then you may need to comply with PCI DSS which requries you to set an expiry of 90 days.
Just don't do it! It's a stupid password rule, it doesn't make the password any more secure and can increase the risk.
NIST say not to impose composition rules, PCI DSS requires letters and numbers. I think these are both sensible. I don't believe that adding special characters is worth the additional inconvenience.
Using a blacklist is a useful way to avoid common passwords. User education is useful.
PCI DSS say a minimum of 7 characters. Windows recomments a minimum of 14 characters. I would suggest 8 characters as a useful minimum.
NIST only recommend limiting the length of passwords where it becomes computationally expensive to process the passwords.
Where possible equipment should ship without a default password, or with a unique password. If you have any equipment that does ship with a default password then the password should be changed immediately.
These are some of the sources I've used when researching this.
Please subscribe to Penguin Fortress on YouTube for future videos.
For more details about how username and password security work on Linux systems see the following guides:
