Password Policy

SWITCH edu-ID Password Requirements

  • Minimum password length: 10 characters
  • Commonly used passwords are forbidden. New prospective passwords are checked against various lists of common passwords
    • check against locally stored list of common passwords (>40'000 words).
    • online check against Pwned Passwords via k-anonymity API (>500 million leaked passwords)

SWITCH edu-ID does not enforce ineffective password limitations. No periodic password change is required. No particular complexity is required.

Recommendations to Users of SWITCH edu-ID

Summary of NIST Recommendations for Passwords

Recommendations for memorized Secrets

a) For users

Dos

  • The password should have at least 8 characters (the longer, the better)

Don'ts

  • Do not impose complexity requirements
  • Do not impose a maximum password length (permit at least up to 64 characters)
  • Do not impose periodical password changes

b) For password verifiers

  • allow all printing ASCII characters
  • do not truncate the secret
  • do not provide/allow password hints
  • reject prospective secrets that ...
    • were used in previous breaches
    • contain dictionary words
    • contain repetitive or sequential patterns
    • contain context-specific words like user name, service name etc.
  • provide a password strength meter
  • provide login rate limiting
  • allow password paste (encourage password managers)
  • offer an option to display the password being typed in (encourage long passwords)
  • secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
  • In addition, an additional salt/hash operation should be performed with a secret salt

References