New requirements for Stanford University passwords: a balance between length and complexity
Stanford University recently updated the password requirements for student and faculty access to the internal resources of its network. Now strict requirements for the use of letters in different registers, numbers and special characters are valid only for short passwords, and the longer the password, the softer the requirements. With a password length of 8 to 11 characters, their use is mandatory, from 12 to 15 - you can do only with letters in different registers and numbers, from 16 to 19 - you can refuse numbers, and there are no restrictions for passwords from 20 characters.
After a series of high-profile hacks and password database leaks over the past couple of years, many began to say that the passwords had become obsolete and no longer able to effectively protect information — any password that is easy to remember is likely to be easily cracked. With a limited password length, in order to preserve strength, it should look more like a cryptographic key in the form of a set of random characters than a secret word. And it is convenient to store such keys in the password manager, and not in your own memory.
If ease of memorization is required, it is better to use multi-word password phrases. This is what the new Stanford policy is pushing the users, and perhaps many sites should take it as an example. I still periodically encounter the fact that the length of the password is limited from above, and it is impossible to use a long phrase as a password. Or, regardless of the length of the password, the site persistently requires that it contain special characters, numbers and capital letters. It is especially painful to type such passwords on mobile devices without a full keyboard.
In principle, there is nothing revolutionary in the new requirements of Stanford University, but this is a very good example of how to combine safety concerns and user convenience with very little effort. For clarity, the university published a small infographic with an explanation of the new policy and recommendations for using passwords:
')
After a series of high-profile hacks and password database leaks over the past couple of years, many began to say that the passwords had become obsolete and no longer able to effectively protect information — any password that is easy to remember is likely to be easily cracked. With a limited password length, in order to preserve strength, it should look more like a cryptographic key in the form of a set of random characters than a secret word. And it is convenient to store such keys in the password manager, and not in your own memory.
If ease of memorization is required, it is better to use multi-word password phrases. This is what the new Stanford policy is pushing the users, and perhaps many sites should take it as an example. I still periodically encounter the fact that the length of the password is limited from above, and it is impossible to use a long phrase as a password. Or, regardless of the length of the password, the site persistently requires that it contain special characters, numbers and capital letters. It is especially painful to type such passwords on mobile devices without a full keyboard.
In principle, there is nothing revolutionary in the new requirements of Stanford University, but this is a very good example of how to combine safety concerns and user convenience with very little effort. For clarity, the university published a small infographic with an explanation of the new policy and recommendations for using passwords:
')
Source: https://habr.com/ru/post/220949/
All Articles