- \n
- The user\u2019s NetID, real first name and real last name cannot be used as part of the password.<\/li>\n
- Single 15+ character words are not allowed (this is called a \u201cdictionary check\u201d).<\/li>\n
- Password history will be retained and checked: the user must choose a different password at each change.<\/li>\n
- Some weak choices and easily guessed phrases are also being blocked (including sequential strings like \u2018abcdefgh\u2019, movie\/book titles, CSU fight song lyrics, and passwords used as examples on the web site and in presentations that have been given as part of this policy transition).<\/li>\n<\/ul>\n<\/li>\n
- With this new list of requirements, the refresh rate moves from 6 months to 1 year. So any password created after April 1st will be good for a year from the date of the change.<\/li>\n<\/ol>\n
Here are some of the concepts that drove ACNS in the decision-making for the new policy:<\/p>\n
- \n
- Our current password scheme is simply too weak, given the advances in attacks.<\/li>\n
- In choosing a stronger password, we want to avoid unnecessary complication and ease usage wherever possible.<\/li>\n
- Expanded use of mobile devices has made traditional \u201cstrong\u201d passwords, which rely on excessive complexity and obfuscation, increasingly difficult to use (particularly on phones that require multiple screens to access all the special characters).<\/li>\n
- Difficulty of guessing, difficulty of remembering, and difficulty of typing a password are separate concepts.\n
- \n
- Our current scheme asks users to select passwords that can be difficult to remember and type, but are easy for computers to guess.<\/li>\n
- Our goal is to create passwords that are easy for humans to remember and type, but hard for computers to guess.<\/li>\n<\/ul>\n<\/li>\n
- So here\u2019s how longer, simpler passwords address those three concepts (guessing, remembering, and typing):\n
- \n
- Longer strings of lower-case letters, even when arranged into a sequence of real words, can provide better defense against guessing than short, complex character strings. Expressed differently: length is much more important than complexity.<\/li>\n
- A string of common words can be more easily memorized than a string of nonsense characters or special-character substitutions. Each word can be remembered as a \u201cchunk\u201d, requiring only a few word-sized chunks rather than a much longer series of individual special characters or substitutions.<\/li>\n
- A sequence of real words in all lower-case letters is easier to type than special characters that require Shift or Alt on a normal keyboard or additional entry screens on mobile devices.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
And, finally, here is some much needed comic relief: http:\/\/xkcd.com\/936<\/a><\/p>\n
![\"password_strength\"](\"http:\/\/imgs.xkcd.com\/comics\/password_strength.png\" "\\"Click")
<\/a><\/p>\n