The rules and policies surrounding password complexity and lifetime should provide clear guidance about whether or not a password is sufficiently resistant to attacks of various types, including brute force, dictionary and social engineering. It should not be up to the user to evaluate password strength.
Passwords policies from official advising structures evolved critically. We cannot advise anymore to have a password longer than 10 characters with a combination of character types.
The US National Institute of Standards and Technology (NIST), one of the world recognized references, issued new guidelines for password :
- No need to change your password every month if you use multi-factors authentification
Studies have shown that it is counterproductive to good password security to require a change of password often even if that was the practice for a long time. It's more valuable to make use of multi-factor authentification both with a passphrase, easy to remember, hard to guess.
- Use a passphrase instead of a complex password
Mixing upper case letters, numbers and letters are useless and tricky to keep in mind. Instead, try to find a combination of words easy to remember but hard to guess. Passwords that are too easy can be attacked by specialist software that combines brute force attacks (dictionaries, hashes…) with variation algorithms for popular characters. Using a personal passphrase significantly extends the time it takes for the software to hack it.
- Having a list of used and compromised passwords and making the screening of those mandatory
This is one of the best ways to countermeasure weak passwords. One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.