- Minimum password length: 10 characters
- Commonly used passwords are forbidden. New prospective passwords are checked against various lists of common passwords
SWITCH edu-ID does not enforce ineffective password limitations. No periodic password change is required. No particular complexity is required. The only complexity requirement ist that in addition to lower case letters, at least one uppercase letter, number or punctuation character must be present.
- Choose a long password (> 15 chars). Read these hints.
- Don't re-use a password across multiple websites
Recommendations for memorized Secrets
- The password should have at least 8 characters (the longer, the better)
- Do not impose complexity requirements
- Do not impose a maximum password length (permit at least up to 64 characters)
- Do not impose periodical password changes
- allow all printing ASCII characters
- do not truncate the secret
- do not provide/allow password hints
- reject prospective secrets that ...
- were used in previous breaches
- contain dictionary words
- contain repetitive or sequential patterns
- contain context-specific words like user name, service name etc.
- provide a password strength meter
- provide login rate limiting
- allow password paste (encourage password managers)
- offer an option to display the password being typed in (encourage long passwords)
- secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
- In addition, an additional salt/hash operation should be performed with a secret salt