XKCD/936:
My perfect password policy? It's what I use on machines I build professionally.
7 char minimum.
7-14 char passwords enforce complexity. (at least one capital letter, one number, one special)
15+: no complexity enforced. This allows Diceware or XKCD/936 style passphrases.
Some common stupid password policies, and why they are stupid:
- No spaces. There's zero reason for this, other than laziness.
- Artificial limit on string length, especially when that limit is less than, say, 50 or so.
- Enforcing complexity, but not allowing certain characters.
- Not giving the rules ahead of time: making us guess when our passwords fail.
No comments:
Post a Comment