Talk:Password policy

Can management force you to share your personal password with your co-worker.


 * Can they? Probably; it's their company.  Should they? In other words, is it a reasonable security practice?  Certainly not. Petershank 05:01, 17 March 2007 (UTC)

Security??
I have a question. This obviously helps against Dictionary attacks, but wouldn't using something so restrictive as the idea of Environ passwords DECREASE security by decreasing the number of passwords a person could use, therefore increasing the probability that the attacker (probably knowing the rules for a possible (used) password) could attack at this point(the point of password level security). For instance:

C V  C  C  V  C  N  N versus AN AN AN AN AN AN AN AN

where

C=consonant(of which there exist 21) V=vowel(of which there exist 5) N=number[digit](of which there exist 10 (1-9 and 0)) AN=alphanumeric(of which there exist 26 + 10 = 36)

the number of possible (assuming both are case-insensitive) passwords are:

first password: 21 x 5 x 21 x 21 x 5 x 21 x 10 x 10 = 486202500 second password: 36 ^ 8 =                         2821109907456

Clearly, using such a system, while cutting down on some attacks, will increase the level of other attacks and (by probability) decrease the level of overall security by (drumroll please) : a factor of approximately 5802.3352563098708871303623490212.

http://wims.unice.fr/wims/wims.cgi factors numbers for people using windoze, linux has factor(6) and factor(6) [at least mine does], and I've never used a mac. Sorry. (This is in case you want to check my numbers. Please do; I'm not that sure they're right.)

Password changing and dictionary attacks
Interesting question: given an unrestricted dictionary attack, how many extra tries does it take for the attacker if the password is changed on a regular basis? And if anyone can find a cite for the answer, it would be good to see incorporated. Calum (talk) 15:53, 6 March 2009 (UTC)


 * Assuming the change interval is large compared to the time the attacker is willing to spend on the search (say weeks or months), periodic changes should have no impact on the search. Periodic password changes only create an incentive for the attacker to use a recovered password immediately, say to install a back door or root kit. And there is anecdotal reason to believe that frequent changes encourage users to choose simpler passwords, making dictionary attacks more feasable.--agr (talk) 16:52, 6 March 2009 (UTC)

Reverted "environ" deletion
I was reverting IP vandalism when I ran across the deletion of the "environ" pattern password section. I am no expert on this topic, but the deletion reason was weak (I've never seen this) and a brief search gave me a reference which I included. Please feel free to message me or change my reversion if you can provide a reference demonstrating that the section is in error. Thanks TreacherousWays (talk) 19:43, 5 December 2011 (UTC)
 * The supplied reference is the same text as the wikipedia article. I don't know which came first - the wiki article, or the reference, but either way I'm not sure it's a valid reference.  I'm not disputing the existence of the environ password, but I do think the IP editor had a good point in removing at least the government bit.  Here in fact is a reference disputing the government claim.   a_man_alone (talk) 21:41, 5 December 2011 (UTC)
 * The link you provided states (in part), "... It’s widely claimed on the web that employees of the UK Government are advised to use passwords of this form. Although I have seen this advice on a local government website in the past, I can’t find any current recommendation ..." I would say that in terms of verifiability, this may just be a non-starter. It would be counter-productive for any agency to confirm or even deny that their passwords have a specific pattern. Perhaps the best solution in this instance might be to note the claim (which is verifiable) rather than advance it as fact. TreacherousWays (talk) 15:07, 7 December 2011 (UTC)

Stanford Password Policy
This would be a good addition to this article.

The preceding comment didn't include a link to Stanford's Password Policy. I found the following documents: https://uit.stanford.edu/service/accounts/passwords/quickguide https://uit.stanford.edu/service/accounts/passwords — Preceding unsigned comment added by 59.148.176.172 (talk) 01:46, 4 September 2020 (UTC)

Conflicting NIST guidelines
They say "Verifiers should not impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for passwords."

So, you can't restrict the user from using a sequence of repeating characters like 'aaaaaaaa'.

But a bit later, they say mention checking against lists of commonly-used, expected, or compromised passwords, such as "Passwords consisting of repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)". — Preceding unsigned comment added by 2001:630:53:FB:64BD:85D5:B476:D73B (talk) 12:34, 18 November 2019 (UTC)

The point is that there shouldn't be a generic rule saying "sequences of repeating characters are not allowed". But if a particular repeating sequence like 'aaaaaaaa' is common, that can be included in the list of commonly used memorized secrets. --Jimfenton (talk) 01:47, 3 December 2021 (UTC)