Over the years, I’ve seen lots of talk on the use of long passwords and complex passwords, etc. and I’ve narrowed the noise down to two options, that we recommend to our clients (and I tend to lean towards the 2nd option).

In order to maintain good security (and to satisfy management security concerns), we need to have an effective password policy. There are two approaches to this, and a client needs to pick one (note it applies to everyone, we can’t make exceptions for individuals, thus this is an important decision).

Option 1

• 9 Characters, with complexity required (i.e. passwords must have an uppercase, lowercase, number and special character like $!#, etc.)
  • Pro’s
    • Shorter password than the other option, good security
  • Con’s
    • People often have trouble remembering the ‘complex bit’s and end up forgetting and/or taping the passwords to the bottom of their keyboards and other silly places, resulting in a total waste of the security in the first place

Option 2 (my preference)

• 14 Characters, no complexity required
  • Pro’s
    • User can define a simple ‘phrase’ to remember such as “Iliketoeatsouponmondays” or “thesalmonkingsrock” – and are more likely to remember it, without writing it down
  • Con’s
    • 14 characters is more to type, than 9, slow typists my whimper

This is an important decision and must be supported by management, for the project to succeed. My professional Opinion is to go with Option 2. It won’t be popular at first, but it is easier to manage and remember for everyone involved.