1

I have an academic project where I need to develop a security plan.

I wrote the rules of password composition :

  • At least 9 characters

  • At least one number

  • At least one special character

But I am not sure if I should consider this a policy or a standard, but I am keen on considering it a policy.

What about some other rules like for example:

  • Don't write your password on post its

  • Use different passwords for different logins

Should this two rules be a standard?

Fábio Pires
  • 51
  • 1
  • 7

1 Answers1

0

A policy describes an intent, where a standard represents a set of rules to achieve this intent.

In your case the policy would be: authentication logic in the application needs to ensure password quality and uniqueness. The standard would be: not less than 9 characters should be accepted as a password.

BTW. To see a nice set of standards please have a look into the OWASP ASVS (Application Security Verification Standard) available here: https://owasp.org/www-project-application-security-verification-standard/

It will point out, that a rule like "at least one number" is poor and old-fashioned. Requirement 2.1.9 states that:

Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.

You can simply copy-paste the OWASP ASVS for your needs. No worries. The whole tech industry does this. :)

Marek Puchalski
  • 3,286
  • 2
  • 26
  • 35
  • what do you mean by password uniqueness? That 2 users can't have the same password? – Fábio Pires Jun 08 '22 at 13:01
  • Uniqueness means, that the user is encouraged to set different passwords for different systems he uses. So you should all things necessary to help him achieve this (by e.g. allowing to store the password in the browsers keystore or enabling him a trouble-free password reset if necessary). – Marek Puchalski Jun 09 '22 at 07:14