Is It a Best/Recommended Practice to Enforce Complex Passwords?

Problem scenario
You are modifying /etc/security/pwquality.conf. Is it a recommended practice to have no or few repeating characters with different classes of characters including lowercase, uppercase, numbers and special characters?

Solution
It can be counter productive to have very strong password requirements according to the NIST (https://pages.nist.gov/800-63-FAQ/).

If you are using Linux or Unix, NIST does suggest you use a crack library dictionary (per A-B10 from https://pages.nist.gov/800-63-FAQ/). Often these are used by default.

You may want to read this: https://www.sans.org/blog/nist-has-spoken-death-to-complexity-long-live-the-passphrase/

The FBI says "Make sure your password is as long as the system will allow." (This was taken from https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-tech-tuesday-strong-passphrases-and-account-protection.)

Some sources recommend you have complex passwords: https://www.sseinc.com/blog/cmmc-password-requirements/

Leave a comment

Your email address will not be published. Required fields are marked *