Advice for system owners responsible for determining password policy
This guidance contains advice for system owners responsible for determining password policy. It is not intended to protect high value individuals using public services.
It advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords.
More specifically, this document will help you to:
- examine and (if necessary) challenge existing corporate password policies, and argue for a more realistic approach
- understand the decisions to be made when determining password policy
- implement strategies that lessen the workload that complex passwords impose on users
- make your system more secure by suggesting a number of practical steps you can implement.