Stanford’s password policy shuns one-size-fits-all security

Stanford University network engineers have unveiled a refreshingly enlightened password policy. By allowing extremely long passcodes and relaxing character complexity requirements as length increases, the new standards may make it easier to choose passwords that resist the most common types of cracking attacks.

Students, faculty, and staff can use passwords as short as eight characters, but only if they contain a mix of upper- and lower-case letters, numbers, and symbols, according to the policy, which was published last week on Stanford's IT Services website. Even then, the short passwords must pass additional checks designed to flag common or weak passcodes (presumably choices such as "P@ssw0rd1", which can usually be cracked in a matter of seconds). The standards gradually reduce the character complexity requirements when lengths reach 12, 16, or 20 characters. At the other end of the spectrum, passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case.

Ars hasn't tested the new system to ensure commonly used phrases found in the Bible, on YouTube, or myriad other places are automatically rejected. As Ars reported in October, even when such passphrases contain 40 or more characters, they are becoming increasingly susceptible to "off-line" cracking. Such attacks scrape popular websites and books, carve up the text into different phrases or sentences, and use them as guesses when cracking cryptographic hashes found in compromised password databases.

Read 5 remaining paragraphs | Comments