There has been recent talk about appropriate password policies in enterprises. This is one of those neverending debates that aren’t really debates – usually, it is a competition to see who can come up with the most obtrusive, obnoxious, useless security policies possible.

Here are some "rules of the road":

1. In today’s threat environment, the most significant attacks (phishing, traditional social engineering, sniffing (local/network)) are equally effective with short, simple passwords or long, complex passwords. If you care about these (and you probably should) then you should be looking at stronger authentication solutions like smartcards, tokens, etc.
2. The other two main attacks, interactive guessing (e.g. by your colleagues) and password cracking, are impacted much more by time and accessibility than anything else.
3. Interactive guessing is easily protected against with short non-dictionary passwords and a short lockout number (e.g. 3-5 attempts).
4. Password cracking is protected against with longer, more complex passwords.

Steve Riley from Microsoft recently advocated long pass phrases and criticized the account lockout property due to DoS concerns. Though I think this is a reasonable approach, I can’t quite get there. I am sticking with recommending shorter passwords with longer lifetime and an account lockout (even for a very short time period) with monitoring in the background.

My primary reasoning is that memorable passphrases address the memory problem of complex passwords, they introduce  a new problem: the simple typo. If folks are at all like me, typos will be fairly common and difficult to see since password characters are masked. Of course, with no lockout (!?), they could keep trying, but then you run into a simple productivity problem associated with "elapsed time". (Yeah, I know – no big deal, but remember the users we are responsible for – they will care.)

There is probably also a reasonable possibility of running "quote book" and "song book" attacks against a passphrase as well.

Ultimately, I don’t consider password cracking a huge threat, given the numerous other attack vectors. In any case, if the opportunity presents itself, the best protection is likely to be frequent changes. If password cracking is a concern, you should be going multi-factor anyway.

My advice: If the risk is not great enough to warrant multi-factor authentication, then you should be fine with short passwords (4-6 characters), long lifetimes (3-6 months), short lockout attempts (3-5 attempts), and a short lockout period (2-5 minutes).

[Btw, I am purposely ignoring regulatory compliance requirements.]