Dave Naffziger's Blog

The Air Force runs a portal that all its members can access. It actually aggregates a bunch of really useful information such as pay history (limited to 2-3 months), white pages of personnel, and various personal personnel data and functions. I access it once every 2 months or so.

They make you change your password once every 90 days. Here is their current password policy:

Passwords Must:

• Be a minimum of nine characters in length
• Contain each of the following in the first nine characters:
  • Two Uppercase Letters
  • Two Lowercase Letters
  • Two Special Characters (except ? which is reserved)
  • Two Numeric Characters

Seriously. I’m all in favor of strong passwords, but this is absurd. It would seem like passwords like this are more secure. There are two flaws to this logic:

• Users write them down. No one is going to commit this obscene password combination to memory. They’ll write it down, email to themselves or save it on a file. I’d be willing to bet that you can find stickies with this password on the monitor of a substantial number of personnel. My login procedure now includes all of the reset password steps because I can’t ever remember my password.
• Users will use patterns to remember the password. Once a password gets this complex, users resort to finding patterns on their keyboard. I’m sure 12#$QWert is commonly used. The password just became incredibly easier to solve via brute force.

If your security needs demand this complex of a password, don’t let users choose them. Assign them a password that is randomly generated. You’ll at least reduce the second vulnerability (the more dangerous one).