Microsoft have published a white paper – Microsoft Password Guidance that contains some very good advice on what passwords need to be to be secure against modern password attacks and also shooting down some very long-held beliefs about the benefits of password complexity.
Their advice to IT Administrators in short is:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to re-use their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk based multi-factor authentication challenges.
Some of these fly in the face of commonly accepted wisdom, however in the paper there’s links to studies that firmly back up each and every one of these recommendations. It’s worth at least skimming the whole paper, so go and check it out.