Skip to Content.
Sympa Menu

assurance - [Assurance] Password Strength Requirements

Subject: Assurance

List archive

[Assurance] Password Strength Requirements


Chronological Thread 
  • From: Benn Oshrin <>
  • To:
  • Subject: [Assurance] Password Strength Requirements
  • Date: Wed, 08 Aug 2012 14:00:47 -0400

Back in December, there were some spreadsheets sent around discussing the "sliders" to select password policies as required by ยง4.2.3.[2,3]. Bronze and Silver basically reference 800-63-1 appendix A which, as I understand it, essentially says your password management policy is calculated from

- The complexity required for the password (length, dictionary, composition)
- The number of unsuccessful attempts required before the password must be locked/changed
- Time introduced to frustrate attacks, via lockouts

I'm curious about what approaches people are settling upon now. For example,

- Is anyone (considering) maintaining a simple failed authentication counter per-password, and expiring the password once the counter reaches the limit permitted by the complexity for the level (Bronze/Silver) of interest? (ie: no lockout, no scheduled expiration)

- Where password lockout is being used (for n amount of time after m failed attempts, but then unlocking the password without reset unless it has expired), what "slider" settings are you using/planning to use compared to what you previously used/currently use? How, if at all, are you (planning on) handling DOS risk?

- Are you (planning on) requiring longer passwords?

(We discussed 2FA/OTP as a "beyond Silver" option back in March, so I'm less interested in that aspect.)

Is there any sense that these requirements are "too strong" for Bronze/LOA1? Or, less likely, "too weak"?

Thanks,

-Benn-



Archive powered by MHonArc 2.6.16.

Top of Page