- The password must be at least 8 characters long;
- The password must contain at least one uppercase character (A-Z), one lower case character (a-z), one number (0-9), and one special character (@%&* etc);
- Passwords must never be words that are found in the dictionary (in any language), nor dictionary words with a numeric suffix or prefix;
- Passwords should not be names of real or fictitious places, people, products or sports teams (e.g. CHeLSEa5);
- Passwords must not contain more than 2 repetitive characters (e.g. BBBbbb111) nor may they contain keyboard sequences (e.g. QWErty123);
- Passwords must also not reference your username, the application or system name, the company or its products;
- Passwords must be changed at laest every 90 days, and should not be reused. The last 10 passwords are stored to prevent reuse.
- Passwords must be kept private, not shared, stored on computer systems or post-it notes, and not coded into programs.
Hilarious. So now one cannot even use passwords like 123&56Az, @BCDef19, ASDfgh1@ etc. Sounds like a great policy, no?
It is a GREAT policy to screw your own users that is. I have known a user who tried 15 times before he got it right, and another who tried 30 minutes to no avail. Users end up with a password that they can’t easily remember so they have no choice but to remember by violating item 8 of the policy. One of these days they are going to forget locking their drawers and let someone get their hands on their little note book.
Number combinations out. Dictionary words out. Keyboard combinations out. Hackers now have a smaller list to work with to attempt brute force hacking. Did the people who thought about this shit ever thought about the fact that the hackers could just wack in the same rules and hack away? * sigh *
A thing’s greatest strength is also its greatest weakness. Such policies are a double-edged sword that cuts both ways, and of course the people who implemented it must be so proud of it and they must be patting one another one the back. Just wait until the CEO himself spent 10 minutes trying to change his password. But again, I doubt he’ll need to log into his computer, ever.
Seen the M41 Walker Bulldogs in the news?
If they are so concerned with security, then 2 mis-entries and you are locked out. That’s the best way to eliminate the effectiveness of a brute force attack.
Good password rules analysis. I like the fact that you think from the hackers’ perspective that it is now even easier to brute force with those rules intact.
Well I guess the best password policy is to follow as many as those rules as you can, but do not enforce it on the system.