variable complexity reqs based on password length - Stanford style password policy

[PaulC]

Hi Support,

 

Do you have any comments/thoughts/plans/suggestions regarding implementing a password strength policy/calculator that follows the Stanford style password policy; ie where longer passwords (20+ chars) do not require/enforce character type restrictions with corresponding expiry or max. age policy.

 

I'm thinking of a policy that allows a definition such as;

• password_length >=x (eg x=20) chars: 1 from [upper, lower]) nb must not allow 20 numeric or 20 special char as limited entropy)
• x > password_length >= y (eg x=20, y=16) chars: 2 from [upper, lower, numeric]
• y > password_length >= z (eg y=16, z=12) chars: 2 from [upper, lower, special char]
• z > password_length > min_length  (eg z=12, min_length=8) chars: 3 from [upper, lower, numeric, special char]
• password_length  = min_length:  (eg 8) chars: 4 from [upper, lower, numeric, special char] with minimum of a upper, b  lower, c numeric, d special] (eg: a=2, b=2, c=2, d=2)

 

I'm interested to know if you have plans in this space.

 

Also interested to know if other users have adopted this type of policy and any downside consequences you may have encountered.

 

Regards,

 

Paul

[support]

Hi Paul,

 

Thanks for your request. We don't currently have plans to develop the Password Strength Policies further, but if customers express enough interest in this, we can look into it.

On the Password Generator Policies, would the Pattern Matching help with this at all? We understand this might need meet the policy requirements you want, but you can be quite specific with the structure of the random passwords which are generated.

Regards

Click Studios.