Posted on 1 Comment

Password rules

The below comes from an Australian government site (formatting is mine, for readability):

“Your password must be a minimum length of nine characters, consisting of three of the following – lowercase (a-z) and uppercase (A-Z) alphabetic characters,
numeric characters (0-9) or
special characters (! $ # %).
It cannot contain any 2 consecutive characters that appear in your user ID, first name or last name.
It must not be one of your 8 previous passwords.”

That’s a serious looking ruleset. But does it actually make things safer?

I doubt it. What do you think?

Posted on 1 Comment

1 thought on “Password rules

  1. I doubt it too.

    my quick thoughts:

    Outsource the auth – openid, google, facebook for use ease, They’ve already given away their personal information there anyway.

    if passwords really needed:

    * Blacklist the 25+ most common passwords and user id/names
    * set a low minimum length (5/6) characters with no complexity requirements
    * lock the account with out of band notice of a link to unlock if the account gets failed brute force attempts made on it

Comments are closed.