Preface
Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements should be imposed.
Let's look into what is actually required in modern security standards/frameworks.
| Standard | Mandatory Password Rotation | Minimum Password Length | Password Charset Restrictions |
|---|---|---|---|
| NIST SP 800-63B | No | 8 | None |
| PCI-DSS v4.0 | No* | 12 | ? |
| Microsoft | No | 14 | None |
| (Danish) CFCS | No | 15 | None |
| Canadian Centre for Cyber Security | No | 12 | None |
NIST Special Publication 800-63B (2017)
TL;DR - 8 chars minimum length, no charset restrictions but ban dictionary/context-specific words, enforce rate-limits and no password hints.
Quotes:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
Payment Card Industry (PCI) - Data Security Standard (DSS) (2022)
TL;DR - 12 chars minimum length, charset should contain both numeric and alphabetic characters, enforce rate-limits.
Quotes:
Passwords/passphrases are changed at least once every 90 days, OR The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
Password policy recommendations for Microsoft 365 passwords (2023)
TL;DR - 14 chars minimum length, no charset restrictions but ban dictionary/context-specific words, enforce rate-limits and MFA.
Quotes:
Password expiration requirements do more harm than good
Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good.
The Centre for Cyber Security (CFCS) - Passwordsikkerhed (2023)
TL;DR - 15 chars minimum length, no charset restrictions but ban dictionary words, enforce MFA and encourage password-manager usage..
Quotes (danish):
Undgå unødvendige komplicerede passwordregler - god længde. Lavere kompleksitet
Tvunget passwordskift skal benyttes, hvis der findes tegn på eller mistanke om kompromittering
Hvis der gennemtvinges periodisk ændring af passwordet, sammensætter brugere ofte et nyt, som er næsten identisk med det tidligere