Just a few notes here for an unnamed (non-secret) military (ending with .mil) website. The sole idea of this post is to briefly articulate how "strong" of a security password is required, that is, until everything moves to requiring a physical, smart card + card reader.
(The following is not word for word, but just the general idea in my own words.)
Here's what is highly recommended (read: required) by the site:
- Up to 55 characters.
- Contain 2+ of each of the following
- UPPERCASE letters
- lowercase letters
- symbols - numbers
- NOT contain:
- Any self-identifying information
- Words that can be found in the dictionary (thus preventing dictionary attacks)
- Common passwords, like "password", "654321", "abc", "qwerty", "asdfghjkl;'"
And, now the special considerations:
- Password lasts less than six months
- Can't reuse passwords
- Passwords must be significantly different from previously used ones
The above is all true.
Now, how does one remember this obfuscated password?
Well, one idea is to write it on a sticky note and put it on the computer. (Please don't do this). Another idea is to not remember the password and deal with possibly a weaker route of just knowing a few pieces of self-identifying information for a call or automatic password recovery system.
Two more bad ideas for remembering complicated passwords to a secure system:
- Using a third-party password solution
- Save in a plain text document
- Save in an encrypted document with the decryption key on the same machine
ps - Post purposely vague and without a final conclusion. It is my hopes that readers will find more reputable sources than a random blog on the Internet to read. Here's a good mostly-unbiased start: https://www.google.com/search?q=what's+a+safe+password
~ Danial Goodwin ~
pps - If you would like to know more about security for URLs, then check out my post from two years ago that still holds true today: http://blog.simplyadvanced.net/what-you-dont-know-about-urls-and-how-you-will-be-tricked/