- Minimum password length: 10 characters
- Commonly used passwords are forbidden. New prospective passwords are checked against various lists of common passwords
SWITCH edu-ID does not enforce ineffective password limitations. No periodic password change is required. No particular complexity is required.
- Choose a long password (> 15 chars)
- Don't re-use a password across multiple websites
Recommendations for memorized Secrets
- The password should have at least 8 characters (the longer, the better)
- Do not impose complexity requirements
- Do not impose a maximum password length (permit at least up to 64 characters)
- Do not impose periodical password changes
- allow all printing ASCII characters
- do not truncate the secret
- do not provide/allow password hints
- reject prospective secrets that ...
- were used in previous breaches
- contain dictionary words
- contain repetitive or sequential patterns
- contain context-specific words like user name, service name etc.
- provide a password strength meter
- provide login rate limiting
- allow password paste (encourage password managers)
- offer an option to display the password being typed in (encourage long passwords)
- secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
- In addition, an additional salt/hash operation should be performed with a secret salt