Password length and formation

Many policies require a minimum password length (eight characters is typical but may not be appropriate). Some systems impose a maximum length for compatibility with legacy systems.Some policies suggest or impose requirements on what type of password a user can choose, such as:

  • the use of both upper- and lower-case letters (case sensitivity)
  • inclusion of one or more numerical digits
  • inclusion of special characters, e.g. @, #, $ etc.
  • prohibition of words found in a dictionary or the user's personal information
  • prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers
  • prohibition of use of company name or an abbreviation

An Environ password, of the following form: consonant, vowel, consonant, consonant, vowel, consonant, number, number (for example pinray45). A disadvantage of this 8-character password is known to potential attackers, the number of possibilities that need to be tested is fewer than a 6-character password of no form (486,202,500 vs 2,176,782,336).Other systems create the password for the users or let the user select one of a limited number of displayed choices.