Enforcing strong password criteria
You wouldn’t think that a benign-sounding topic such as strong password criteria would be so controversial, but it is. The conventional wisdom that you’ve undoubtedly heard for your entire computer career says:
- Make passwords of a certain minimum length.
- Make passwords that consist of a combination of uppercase letters, lowercase letters, numbers, and special characters.
- Ensure that passwords don’t contain any words that are found in the dictionary or that are based on the users’ own personal data.
- Force users to change their passwords on a regular basis.
But using your favorite search engine, you’ll see that different experts disagree on the details of these criteria. For example, you’ll see disagreements about whether passwords should be changed every 30, 60, or 90 days, disagreements about whether all four types of characters need to be in a password, and even disagreements...