I'm considering implementing fine grained password policies at different levels for Admins, Staff and Students.
I'm struggling to find an adequate balance between enforcing good passwords and being overly restrictive.
Anybody want to share what requirements you use?
I believe the only requirements passwords should have is password length. Springing two or more words together is better than forcing upper case, numbers or symbols with passwords a person cannot remember.
Something like Elephanthorsecat is more secure and easier to remember then shorter passwords with numbers and uppercase. Why do we force users into obscure hard to remember passwords? Instead teach them to string together words.
Indeed, when I used to work for National Government the password policy there was three groups of three characters creating a rhyme.
easy to remember, fairly secure and they generated them automatically on a three month cycle.
I still use a similar system but I prefer to add more characters but maintain the idea of rhyming three similar words to reduce forgetfulness, if only I could find a way of replicating the password generation script I'd probably implement this across the school.