A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks[1] that define requirements for user authentication to government services, including requirements for passwords.
The United States Department of Commerce's National Institute of Standards and Technology (NIST) has put out two standards for password policies which have been widely followed.
From 2004, the "NIST Special Publication 800-63. Appendix A,"[2] advised people to use irregular capitalization, special characters, and at least one numeral. This was the advice that most systems followed, and was "baked into" a number of standards that businesses needed to follow.
However, in 2017 a major update changed this advice, particularly that forcing complexity and regular changes is now seen as bad practice.[3] [4]
The key points of these are:
NIST included a rationale for the new guidelines in its Appendix A.
Typical components of a password policy include:
See also: Password strength.
Many policies require a minimum password length. Eight characters is typical but may not be appropriate.[6] [7] [8] Longer passwords are almost always more secure, but some systems impose a maximum length for compatibility with legacy systems.
Some policies suggest or impose requirements on what type of password a user can choose, such as:
Other systems create an initial password for the user; but require then to change it to one of their own choosing within a short interval.
Password block lists are lists of passwords that are always blocked from use. Block lists contain passwords constructed of character combinations that otherwise meet company policy, but should no longer be used because they have been deemed insecure for one or more reasons, such as being easily guessed, following a common pattern, or public disclosure from previous data breaches. Common examples are Password1, Qwerty123, or Qaz123wsx.
Some policies require users to change passwords periodically, often every 90 or 180 days. The benefit of password expiration, however, is debatable.[9] [10] Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection.[11]
This policy can often backfire. Some users find it hard to devise "good" passwords that are also easy to remember, so if people are required to choose many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down. Also, if the policy prevents a user from repeating a recent password, this requires that there is a database in existence of everyone's recent passwords (or their hashes) instead of having the old ones erased from memory. Finally, users may change their password repeatedly within a few minutes, and then change back to the one they really want to use, circumventing the password change policy altogether.
The human aspects of passwords must also be considered. Unlike computers, human users cannot delete one memory and replace it with another. Consequently, frequently changing a memorized password is a strain on the human memory, and most users resort to choosing a password that is relatively easy to guess (See Password fatigue). Users are often advised to use mnemonic devices to remember complex passwords. However, if the password must be repeatedly changed, mnemonics are useless because the user would not remember which mnemonic to use. Furthermore, the use of mnemonics (leading to passwords such as "2BOrNot2B") makes the password easier to guess.
Administration factors can also be an issue. Users sometimes have older devices that require a password that was used before the password duration expired. In order to manage these older devices, users may have to resort to writing down all old passwords in case they need to log into an older device.
Requiring a very strong password and not requiring it be changed is often better.[12] However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have access for an indefinite period.
It is necessary to weigh these factors: the likelihood of someone guessing a password because it is weak, versus the likelihood of someone managing to steal, or otherwise acquire without guessing, a stronger password.
Bruce Schneier argues that "pretty much anything that can be remembered can be cracked", and recommends a scheme that uses passwords which will not appear in any dictionaries.[13]
Password policies may include progressive sanctions beginning with warnings and ending with possible loss of computer privileges or job termination. Where confidentiality is mandated by law, e.g. with classified information, a violation of password policy could be a criminal offense in some jurisdictions.[14] Some consider a convincing explanation of the importance of security to be more effective than threats of sanctions.
The level of password strength required depends, among other things, on how easy it is for an attacker to submit multiple guesses. Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen. At the other extreme, some systems make available a specially hashed version of the password, so that anyone can check its validity. When this is done, an attacker can try passwords very rapidly; so much stronger passwords are necessary for reasonable security. (See password cracking and password length equation.) Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts.
Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior. For example:
A 2010 examination of the password policies[15] of 75 different websites concludes that security only partly explains more stringent policies: monopoly providers of a service, such as government sites, have more stringent policies than sites where consumers have choice (e.g. retail sites and banks). The study concludes that sites with more stringent policies "do not have greater security concerns, they are simply better insulated from the consequences from poor usability."
Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a security token or one-time password system, such as S/Key, or multi-factor authentication.[16] However, these systems heighten the tradeoff between security and convenience: according to Shuman Ghosemajumder, these systems all improve security, but come "at the cost of moving the burden to the end user."[17]