Password Strength - Password Policy

Password Policy

A password policy is a guide to choosing satisfactory passwords. Some are controversial. They are usually intended to:

• assist users in choosing strong passwords
• ensure the passwords are suited to the target population
• recommendations to users with regard to the handling of their passwords
• a requirement to change any password which has been lost or compromised, and perhaps that no password be used longer than a limited time
• some policies prescribe the pattern of characters which passwords must contain

For example, password expiration is often covered by password policies. Password expiration serves two purposes:

• if the time to crack a password is estimated to be 100 days, password expiration times fewer than 100 days may help ensure insufficient time for an attacker.
• if a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker

Some argue that password expirations have become obsolete, since:

• asking users to change passwords frequently encourages simple, weak passwords.
• if one has a truly strong password, there is little point in changing it. Changing passwords which are already strong introduces risk that the new password may be less strong.
• a compromised password is likely to be used immediately by an attacker to install a backdoor, often via privilege escalation. Once this is accomplished, password changes won't prevent future attacker access.
• mathematically it doesn't gain much security at all.

• moving from never changing one's password to changing the password on every authenticate attempt (pass or fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack - one gains much more security just increasing the password length by one character than changing the password on every use.