Questions tagged [password-policy]
A set of requirements regarding password creation, storage, and usage. These requirements often constrain several characteristics of passwords. So, a password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
512 questions
4 votes
5 answers
2k views
What is the drawback of always generating passphrases for the user?
The arguably weakest link in any password protected service is the human mind which still chooses easy to guess passwords, despite it fulfilling "general security practices" such as S4f3P@$$...
- 149
9 votes
4 answers
4k views
Does Windows 11 PIN Behavior Break Password Security Conventions?
Building on the theme presented in this previous question, does Window's current PIN input userflow break standard password security practices? Behavior: When the user inputs the correct number of ...
- 193
4 votes
1 answer
637 views
Storing password strength information along with password
I'm working on an authentication system that uses passwords. I would like to follow modern NIST best practices with regards to password strength. However, I also considered it may be nice to store ...
- 163
0 votes
0 answers
87 views
Does requiring log in every n hours actually increase security for a web app, if login info is stored in browser? [duplicate]
A web application I use forces log in again every 12 hours. I'm struggling to see exactly how this increases security, considering the browser has user and pass pre-filled, and I simply have to click &...
- 1
19 votes
7 answers
6k views
Is it secure to block passwords that are too similar to other employees' old passwords?
At my work, they don’t like different employees having ‘partially matching passwords.’ I had never thought anything of it before, but just now I realised what this means (or might mean.) When I ...
- 4,805
3 votes
1 answer
563 views
How to check user password against list of weak passwords when I use client-side hashing?
I’ve been exploring ways to strengthen password security, and one aspect of that is preventing the use of weak or commonly compromised passwords. NIST's recommendations, for example, include the ...
- 817
4 votes
1 answer
189 views
Is there a problem allowing two accounts to have the same recovery email?
It is a security problem to allow that two different user accounts have the same email address? If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email ...
- 41
0 votes
1 answer
311 views
Passwords/password hashes in plaintext in service configs - why is this common practice?
A while ago I wanted to deploy a service using a OCI (docker/podman) container, and I noticed to me, what seemed like a possibly distributing trend. In the build file for a lot of the containers, the ...
2 votes
5 answers
7k views
Optimal password minimum length requirement? (In particular, does a 15 character minimum make sense for most university users?)
Is there any professional consensus on what the optimal password minimum length requirement should be? The University of Michigan recently implemented a 15 character minimum for all users. To me (...
- 121
0 votes
2 answers
495 views
Security of password managers vs. risk of losing access
Is it safe not to have a 2FA for a password manager itself? It seems that using an app for TOTP authentication for a password manager could increase the security. But it turns out that in this case I ...
25 votes
4 answers
7k views
Does a password policy with a restriction of repeated characters increase security?
A security value called Restriction of Repeated Characters for Passwords (QPWDLMTREP) can be configured in IBM i. If QPWDLMTREP has a value of 1, then "the same character cannot be used more than ...
- 369
2 votes
0 answers
229 views
How is "partial" password reuse determined? [closed]
How do environments like Active Directory determine if you reuse parts of previous passwords in a new password? I understand that it keeps a list of your last passwords, hashed. But how do they ...
- 21
1 vote
1 answer
424 views
Password restrictions limit Diceware word list - (when) can this get bad enough one should choose another strategy?
Besides “your password must contain this” complexity requirements, some places also have “your password must not contain this” rules, sometimes with fairly short substrings of the username, a day of ...
- 235
0 votes
1 answer
293 views
My Bank Enforces A 6 Character Limit On Passwords. Is This Bad? [duplicate]
A bank I (previously) used in Australia forced users to comply with a 6-character limit on every password. Specifically, the rules were: 6 characters exactly, including at least 1 number and letter ...
- 101
50 votes
5 answers
6k views
Should a bank be able to shorten your password without your involvement?
The bank of a friend changed password policy, such that you are limited to 20 characters. However, he used 24 letters before and thus was not able to log in anymore. He called his advisor, who ...
- 601