The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 3, Interesting) by hendrikboom on Friday August 19 2016, @09:31PM
Is there any hope for people with mobility disorders, such as Parkinson's, who cannot type correctly? Or, for that matter, people whose laptops have bouncy keys?
These people need to be able to *see* the passwords they are typing.
-- hendrik
(Score: 0) by Anonymous Coward on Sunday August 21 2016, @12:09AM
There are other input devices than keyboards. Also, I usually turn on "bounce keys" at its lowest level on any computer due to shitty keyboards.
(Score: 2) by urza9814 on Monday August 22 2016, @10:18PM
Some places have been making passwords visible *by default* lately. Those morons over at Amazon.com are one such example, although I think that only occurs on certain devices so far.