Recommended policy on password complexity

Some links and recent research related to policies and the actual resistance to cracking of the resulting passwords is presented by Matt Weir in Reusable Security: New Paper on Password Security Metrics and CCS Paper Part #2: Password Entropy

One quick takeaway is noted: "forcing users to change their password every six months isn't very useful"

See also other questions here like this one.


Passwords are generally considered fundamentally broken, so that any password policy is an attempt to shore things up at best. Having said that, a 'best practice' password policy will typically include at least the following requirements, in addition to minimum password length:

Password Aging:

A maximum age for the password, so that the same password is not used indefinitely

A password history, to stop users changing back to one of N previously used passwords (and thus effectively not changing it at all).

Some policies will also have a minimum age, to stop people changing their password N times (and thus effectively bypassing the password history mechanism, and not changing it at all).

(Notice the last two of these controls are to stop users attempting to get round the first! This is yet another clue that passwords are pretty broken)

Password Complexity:

Typically these will include requirements for 'special' characters, or use of several character classes, with the goal being to increase the effective number of bits in the password and increase the amount of time it takes to brute force a password.

It is also useful to have a policy that disallows not just dictionary words (such as password), but dictionary derived words (e.g. password123, drowssap321 etc). The goal here is to prevent dictionary attacks which can speed up automated password cracking.

Beyond this it is possible to debate all sorts of other requirements and exact values for the various parameters (must users change passwords every 90 days or 30 days or every 5 minutes? etc), as well as the amount of entropy you gain/lose by complexity requirements - but where these things matter greatly then passwords are almost certainly not a good enough control in the first place.


It is my understanding that developing a balance between security and usability is an on-going battle. Ideally, users should use the most secure password possible but many of them (possibly all) cannot remember these complex strings.

It's my personal experience that the most secure passwords are phrases or the first letter of phrases that I know. By doing this it creates a seemingly arbitrary string of letters (using the phrase: You can't guess this password easily --- ycgtpve). Then require a number and it will create a difficult password that a hint will not divulge easily.

As far as documentation goes I managed to find a couple resources on creating powerful passwords:

-http://technet.microsoft.com/en-us/library/cc736605(WS.10).aspx

This article outlines how to instruct users on good password practices.

-http://www.techrepublic.com/article/lock-it-down-creating-passwords-that-are-secure-and-easy-to-remember/1047939

This article gives good algorithms to creating difficult passwords which are easily remembered.

Hope this helps.