Password Policy

Originally posted 2006-02-10 14:25:07

An internal audit at the company where I work determined that we should strengthen our corporate password policy. Consequently, our head of data security drafted a new policy and began to solicit comments. At a company-wide meeting, he officially presented the policy one month before its institution. Management continued to socialize the new policy to prepare folks for the rollout. No one complained. No one squawked. No one cared.

This past week, one of the security people emailed the new policy to everyone in the company, effective immediately. It looks like this:

As many of you have already noticed, stricter rules are being enforced when choosing a new password.

The new rules are the following:

– the new password MUST be at least 8 characters long
– the new password MUST contain at least one character from three of these four groups:
– lowercase letters (a-z)
– uppercase letters (A-Z)
– digits (0-9)
– symbols (~!@#$%^&*, etc)
– the new password must be different from the last 24 passwords
– the new password must not contain the username

For example, under these new rules, these passwords are valid:
AVeryGood1
Rock`N’Roll
64000$question

The following passwords instead will be rejected:
2easy2guess (why: only lowercase letters and digits – not enough)
Abc123 (why: too short)
100+100=200 (why: only digits and symbols – not enough)

Like a herd of angry elephants, the rank and file stampeded to this hapless security worker’s desk. Although several cubicle walls block my view of his desk, my ears reverberated with the footfalls of the madding crowd. \”What is this?\” they trumpeted. Through his thick Italian accent, Security Guy stammered something about the new password policy not being a problem.