Re: Password length and complexity

[Alan Stockdale <astockdale () EDC ORG>]

--Electronic Authentication Guideline. 2011. NIST SP800-63 (see esp. "Appendix A: Estimating Entropy and Strength").
--Guide to Enterprise Password Management (Draft). 2009.  NIST SP800-118
http://csrc.nist.gov/publications/PubsSPs.html

Worth asking how they are being stored an can they be stored more securely. A lot of passwords are stored in a manner that 
doesn't provide adequate protection.
See http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html







[cid:edc_logo18d7a2c]<http://www.edc.org>
EDCInc

On 5/31/2013 1:08 PM, Eric Weakland wrote:
Greetings,

Do any of you have any links handy to scholarly/technical articles that have recommendations or strategies on choosing 
appropriate password length and complexity requirements?  We're working on extending out password expiration period 
significantly - let's say 1 year, and will be using things like 2-factor for extremely sensitive accounts, and I want to 
make sure we are using a sound rationale/reasons for the length we choose - backed up by some research.

Anyone know of useful studies/research results that could help guide our recommendations?

Best,


Eric Weakland, CISSP, CISM, CRISC
Director, Information Security
Office of Information Technology
American University
eric at american.edu
202.885.2241

______________________________________
AU IT will never ask for your password via e-mail.
Don't share your password with anyone!



--
Alan Stockdale, Ph.D.
Education Development Center
43 Foundry Avenue, Waltham, MA 02453-8313
Work: 617 618 2731
Fax: 617 969 3401
E-mail: astockdale () edc org<mailto:astockdale () edc org>
Web: http://www.edc.org/