Password Complexity Standard

Purpose

To define minimum password complexity requirements based upon assigned password policy levels.

Standard:

  1. Password construction attributes (Table 1) for each password policy level are selected to achieve the specified minimum entropy.
  2. Password composition rules require the inclusion of 3 of the 4 following character sets: lowercase letters, uppercase letters, numerals and special characters. Allowable special characters are ~ ! @ # $ % ^ & * ( ) _ + | ` – = \ { } [ ] : ” ; ’ < > ? , . / and the space character (depending on system support). Passwords may not include words of more than 4 characters, as tested against a dictionary of at least 50,000 words.
  3. For all policy levels, the selection of a passphrase of at least 18 characters eliminates the password composition rules and dictionary check. Passphrases are subject to minimal tests to prevent use of common or trivial phrases.
  4. Multi-Factor Authentication (MFA) may be offered for use with policy levels P3-P5, and is required for P6.
AttributeP1P2P3P4P5P6
Minimum entropy bits30303031.531.531.5
Minimum length of password888999
Maximum age of password (in days)36536536518018090
Password minimum age for reset (in
days)
111111
Password uniqueness/history (days)200200200200200200
Failed attempts before lockout10101010106
Lockout duration (minutes)303030303030

References:

SEC-AC-002.01: Authentication Management Standard
NIST Special Publication 800-63 revision 1: Electronic Authentication Guideline
PCI Data Security Standard 2.0

Effective Date:

June 24, 2015