I have to write a password specification - for a product and not a web application (if that makes a difference). I could arbitrarily guess at numbers but want to be more scientific. Is there a standard (like an IEC standard), or defined best-practice, for things like minimum length, maximum length, complexity and so on? Ideally a standard I could just point to.
Asked
Active
Viewed 650 times
1 Answers
3
The NIST guidelines contain excellent and modern recommendations. For example, it recommends checking the password against a blacklist instead of enforcing it contains character classes (uppercase, numbers, punctuation characters).
However, it may be that other parties that are specific to your industry enforce other guidelines, for example if you are subject to HIPAA or PCI-DSS.
A more scientific approach would be to calculate the entropy of a password. However, calculating entropy assumes totally random passwords, and users prefer using their cat's name instead of a randomly generated password.
Sjoerd
- 30,589
- 13
- 80
- 107