Home > security > User password age/complexity policy

User password age/complexity policy

May 4Hits:1

Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a higher tolerance for mixing in some numbers and special characters than they had 5 or 10 years ago.

I'm looking for rules of thumb and/or resources I can use to back up my proposed policy changes. Or even anecdotal info from those with more experience.

(I'm far from a security guru, so if that's just to vague to deal with, let's narrow the question to apply just to internal Windows networking passwords, though I'd be interested in what people are doing in terms of VPN and web service policy)


In today's world of random brute-force password attacks, I tend to agree with the statement that: a good password written down is better than a memorized password that is easy to guess

Here's a good comparison of password strength:


You're doing the right thing by considering what your users are willing to work with. If you force highly complex passwords that must change frequently, you'll find your post-it note consumption will skyrocket.

There's a sensible contribution to this topic from Gene Spafford at Purdue's CERIAS. Here's a partial quote:

So where did the “change passwords once a month” dictum come from? Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected. It also got written into several lists of security recommendations.

This is DESPITE the fact that any reasonable analysis shows that a monthly password change has little or no end impact on improving security!
It is a “best practice” based on experience 30 years ago with non-networked mainframes in a DoD environment—hardly a match for today’s systems, especially in academia!

I'm much more in favour of longer password (which, realistically, means as in multi-word phrases in you're going to remember them) instead of mixing in words and numbers. If you force people to add numbers, they're more likely to do simple things like replace i with 1 etc. which doesn't gain you very much security.


There are tons on material on Password Policies. I recommend taking a look at

Now, something must be said about password sanity. The fact is that password that are hard to remember are written down. The same goes for passwords that must be changed too often. The bottom line, it depends on what you're protecting and your userbase.

The policy should reflect what the users are using the computers for, how sensitive information the user handle on it. If it is just to contain the users preferences you do not really need it heavily fortified if everything else is in place to repel attacks. If the opposite is the case I would rather have annoyed users moaning about complex passwords to remember.

I have about 20-some complex passwords in my head at all times, and I have started creating them using patterns on the keyboard to remember them by. It makes it easier as I only need to know the starting point and what kind of pattern to make. Everybody hates changing passwords, but this technique allows me to change them around easily and remember them, so security is tight.. for me at least. I can even note down one letter on a piece of paper and still recall what pattern to make, and I don't really remember things too well. If this has any use for anyone however.. I don't know.

Writing down a complex password without obfuscating it seems just wrong to me. If someone is trying to break into a computer physically you can be sure they will look for some tell-tale.

I believe, when I worked for a healthcare institution, that some of our requirements came from HIPAA. I haven't looked at the SOX regs (which I guess I now adhere to in the insurance world), but they may have some similar language as a basis for this sort of thing.

Beyond that, if you're part of a larger IT organization (sub-division in a larger corporation) the corporation may have rules that could be adhered to.

Bottom line needs to be that, whatever policy gets implemented, it be blessed by senior management, and preferably written up in a security or IT policy that all staff need to be made aware of/adhere to. It doesn't need to be draconian (change password every 180 days, combination of alpha and numerics), but it should be company policy so everyone is crystal clear on the requirement.

Been some good suggestions so I'm just going to add this:

As long as you're able to make sure that you can be exempt from the policy... I have a good memory, so personally I prefer to be able to use a 18 character password that's ridiculously complex for 6 months or more than a simple one that I have to change once a month.

Keep in mind that a 16 character password that uses only lowercase and uppercase letters and spaces gives 53^16 combinations or 3.876*10^27, whereas 10 character passwords that use lowercase and uppercase letters, numbers and symbols only gives 95^10 or 5.987*10^19.

Related Articles

  • User password age/complexity policyMay 4

    Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a hig

  • How can I find out the password complexity policy?December 6

    A user tries to change his/her password in a Windows domain and it's not accepted: The password supplied does not meet the minimum complexity requirements How can an end-user find out what the requirements are? (The obvious solution would be to conta

  • Disable password age policy for admin on Windows ServerJuly 7

    By default on my SBS08, the Maximum password age is set to 1year. I'd like to disable this particular parameter for Domain Admin, not the entire policy (Default Domain Policy). Is that possible ? Thanks. --------------Solutions------------- This is h

  • Group Policy "Maximum password age" fails to applyApril 12

    In my Windows network with all AD servers (still) running Windows 2003, I encounter the following problem: The "Maximum password age" policy apparently does not apply. Even though some of the users have indeed been asked to change their password

  • When does SQL Server follow the Minimum Password Age policy?February 27

    According to this SQL Server 2008 whitepaper, SQL Server should only pay attention to the Minimum Password Age policy when the Check_Expiration (Enforce Password Expiration) option is turned on. Page 7 in the whitepaper specifically says "CHECK_EXPIR

  • Password complexity policy and practicality December 24

    If you are a user and your company implements a password policy that says your password must have at least 8 characters, at least 1 number, at least one alphabet and at least 1 special character, would it be too complex for you as a user to create su

  • password aging policy, the passwd command and /etc/shadowAugust 18

    I came across this phrase in the link below http://brandonhutchinson.com/wiki/Solaris_Password_Policy /usr/bin/passwd is used to modify password aging on existing accounts. passwd does not update the last password change field (field 3) in /etc/shado

  • What is the rationale for a minimum password age?March 28

    I just had a user unable to change his password on a Windows 2008 domain. It was giving him a cryptic message about complexity requirements even though he was certain his chosen password was meeting them. I tested it myself and confirmed. It seems hi

  • Unable to change domain password even if the password is complex

    Unable to change domain password even if the password is complexMay 6

    I have a problem with users not being able to change their passwords. When they try to change the password, they get this error: "Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different

  • Set maximum domain password age in Windows 2008December 9

    On a windows 2008 AD controller how can the maximum password age policy be changed, for all domain accounts? --------------Solutions------------- The default domain policy has some of the password policies set by default. This is where you can set th

  • OpenLDAP, Samba and password agingSeptember 29

    I'm configuring a system in which all IT resources are available through a single user-password pair, be it access to shell on the servers, logging to Samba domain, WiFi, OpenVPN, Mantis, etc. (with access to specific services governed by group membe

  • No password is complex enoughNovember 27

    I have one user in my AD domain who seems to not be able to self-select a password. I may have another one, but they're on a different enough password-expiration schedule that I can't remember who it is right now. I can set a password via ADU&C just

  • Is password age cached locally, along with login?November 27

    We have a number of users that work remotely (off-domain), and before I set the password age (and complexity) on our AD, I wondered if the password age is stored locally, along with the login data. The last thing I want is to bugger up anything for o

  • Password reset fails for end users when minimum password age set for more than 0 daysJuly 8

    Our Help Desk has been resetting user passwords with "user must reset password at next logon" for years. Recently reset default domain policy for "minimum password age" from 0 days to 5 days. Now when Help Desk resets user password wit

  • Is it possible to know the remaining 'expiration of sql login password date' & 'maximum password age' through T-SQLOctober 15

    I would like to say that today incident whatever i have faced related to Microosft SQL Server 2012. I had logged in Microsoft SQL Server 2012 at starting working hour of office time ,but at the mid of my company working hours , i have got the (Micros

  • "Disable machine account password changes" Group Policy setting - when should it be enabled?December 30

    I am setting up a test environment on Amazon Web Services comprising 2 web servers, 1 database server and 1 domain controller. All of them are Windows Server 2012 and joined to the domain. Occasionally, the member servers have been randomly throwing

  • Age replacement policy for hard disks and SSDs at serversNovember 28

    I'm planing an age replacement policy for our storage and servers. Most of them are for DBs and some for images (static content) so yes, they have an huge I/O everytime. Also, we use Samsung 840 Pro SSDs for the RAID Controllers (PERC H700i) as Cache

  • what is "password aging limits"?February 21

    It seems like password aging limit is responsible for regular change of password.But my questions are, What exactly it is and which password does it change? How can I configure it to change the password regularly, say every week. If necessary, note t

  • Set password aging for a group of usersApril 23

    With chage command we can change password expiry information for a user. Is there anyway to enforce password aging for a group of users? --------------Solutions------------- I think this might help. You can set default password expiry using the file

  • Does password aging affect locked accounts in Linux?November 15

    I have a requirement to change the maxdays setting of several Linux accounts to 365 and most of the accounts are locked. Does password aging settings affect these accounts? My concern is that I'll change them to 365 (where currently many of them are

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.480 s.