Password policies are an integral part of security for most computing facilities. Even though passwords have supposedly outlived their usefulness they are still the single most common security control for authentication for online systems. Thus having a user-friendly but secure enough password policy and enforcing it is very important.

An administrator usually has the ability to set the acceptable password policy for a system. However common questions that arise are – What is the minimum length of a password? How many non-alpha characters (numbers and special symbols) should it have? Are there any restrictions on using both uppercase and lowercase characters? And many more.

I just read a reasonably old but very useful paper titled The Memorability and Security of Passwords Some Empirical Results authored by Jianxin Yan, Alan Blackwell, Ross Anderson and Alastair Grant. It is short 11-page paper describing an experiment carried out on approximately 400 students that gives empirical results on the memorability and security of passwords chosen via 3 different approaches – allow user to select, random password, mnemonic passphrase.

In a nutshell the paper recommends users to choose mnemonic passwords that are at least 8 characters long, preferably longer with individual characters being a mixture of letters, numbers and special symbols.

And while you are at it do read this article by Bruce Schneier – Choosing Secure Passwords. He talks about a password recovery program called PRTK that assumes that all passwords are made up of a root (need not be a dictionary word but is usually pronounceable) and an appendage (a suffix or prefix to the root). His recommendations for a difficult to crack password:

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

Even something lower down on PRTK’s dictionary list — the seven-character phonetic pattern dictionary — together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix.

Interesting.