Password Complexity Standard

Purpose

To define minimum password complexity requirements based upon assigned password policy levels.

Standard:

  1. Password construction attributes (Table 1) for each password policy level are selected to achieve the specified minimum entropy.
  2. Password composition rules require the inclusion of 3 of the 4 following character sets: lowercase letters, uppercase letters, numerals and special characters. Allowable special characters are ~ ! @ # $ % ^ & * ( ) _ + | ` – = \ { } [ ] : ” ; ’ < > ? , . / and the space character (depending on system support). Passwords may not include words of more than 4 characters, as tested against a dictionary of at least 50,000 words.
  3. For all policy levels, the selection of a passphrase of at least 18 characters eliminates the password composition rules and dictionary check. Passphrases are subject to minimal tests to prevent use of common or trivial phrases.
  4. Multi-Factor Authentication (MFA) may be offered for use with policy levels P3-P5, and is required for P6.
Attribute
P1
P2
P3
P4
P5
P6
Minimum entropy bits30303031.531.531.5
Minimum length of password888999
Maximum age of password (in days)36536536518018090
Password minimum age for reset (in
days)
111111
Password uniqueness/history (days)200200200200200200
Failed attempts before lockout10101010106
Lockout duration (minutes)303030303030

References:

SEC-AC-002.01: Authentication Management Standard
NIST Special Publication 800-63 revision 1: Electronic Authentication Guideline
PCI Data Security Standard 2.0

Effective Date:

June 24, 2015