The rules and policies surrounding password complexity and lifetime should provide a clear guidance about whether or not a password is sufficiently resistant to attacks of various types, including brute force, dictionary and social engineering. It should not be up to the user to evaluate password strength.
Configure your technical password for the below security configurations:
- Use of passphrases
- Users avoid obvious password (blacklists)
- Users don't use the same password elsewhere
- Minimum password length
- No maximum length
- Accounts are locked after 10 unsuccessful attempts
- The password guesses are limited to a max of 10 attempts within 5 minutes
Password policies from official advising structures evolved critically. Just advising to have a password longer than 10 characters with a combination of character types is no longer sufficient.
The US National Institute of Standards and Technology (NIST), one of the world recognized references, issued new guidelines for passwords :
- No need to change your password every month if you use multi-factor authentification
Studies have shown that it is counterproductive to good password security to require a change of password often even if that was the practice for a long time. It's more valuable to make use of multi-factor authentification both with a passphrase, easy to remember, hard to guess.
- Use a passphrase instead of a complex password
Mixing upper case letters, numbers and letters is useless and tricky to remember. Instead, try to find a combination of words that is easy to remember but hard to guess. Passwords that are too easy can be attacked by specialist software that combines brute force attacks (dictionaries, hashes…) with variation algorithms for popular characters. Using a personalized passphrase significantly extends the time it takes to crack.