Password Policy

SWITCH edu-ID Password Requirements

  • Minimum password length: 10 characters
  • Commonly used passwords are forbidden. New prospective passwords are checked against various lists of common passwords
    • check against locally stored list of common passwords (>40'000 words).
    • online check against Pwned Passwords via k-anonymity API (>500 million leaked passwords)

SWITCH edu-ID does not enforce ineffective password limitations. No periodic password change is required. No particular complexity is required. The only complexity requirement ist that in addition to lower case letters, at least one uppercase letter, number or punctuation character must be present.

Recommendations to Users of SWITCH edu-ID

Summary of NIST Recommendations for Passwords

Recommendations for memorized Secrets

a) For users

Dos

  • The password should have at least 8 characters (the longer, the better)

Don'ts

  • Do not impose complexity requirements
  • Do not impose a maximum password length (permit at least up to 64 characters)
  • Do not impose periodical password changes

b) For password verifiers

  • allow all printing ASCII characters
  • do not truncate the secret
  • do not provide/allow password hints
  • reject prospective secrets that ...
    • were used in previous breaches
    • contain dictionary words
    • contain repetitive or sequential patterns
    • contain context-specific words like user name, service name etc.
  • provide a password strength meter
  • provide login rate limiting
  • allow password paste (encourage password managers)
  • offer an option to display the password being typed in (encourage long passwords)
  • secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
  • In addition, an additional salt/hash operation should be performed with a secret salt

References