Change to minimum password characters

[ahmedrmoj]

Changing 8 character minimum to 15 character minimum for all user accounts to bring it in line with service account password requirements.

[warmanaMOJ]

The change from 8 to 15 characters might be a problem for some users and existing deployed systems.

I'd suggest:

1. Double checking that the proposed change is OK with Cyber Consulting. I'll help with this.
2. Referring to the NCSC guidance on complex passwords, and in particular the #thinkrandom guidance here, to make it easier for people to get to the 15 characters or more.

[joelgsamuel]

Academically it depends where the password hash is stored and how it is defended (a hash that can be cracked 'offline' versus a brute force attack against a service that is actively defending the authentication component): if we take a basic offline hash, with something like j0elPw3rd, that will take at most 2 days to crack.

I would be content with uplifting to 15 characters promoting #thinkrandom for human generated/used (although still pushing password managers) and mandatory complexity for system/service accounts.

(this is a baseline policy, new systems should meet it while older systems that exist should aspire to on upgrade or must at replacement)

[ahmedrmoj]

Thanks both for your input, this was raised by Laura Trantor to Rachel. I'm happy to give her our feedback once we've reached a final agreement.