This guidance contains advice for system owners responsible for determining password policy. It is not intended to protect high value individuals using public services.
It advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords.
More specifically, this document will help you to:
- examine and (if necessary) challenge existing corporate password policies, and argue for a more realistic approach
- understand the decisions to be made when determining password policy
- implement strategies that lessen the workload that complex passwords impose on users
- make your system more secure by suggesting a number of practical steps you can implement.