Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Internal Password Dictionary Check Guidelines
We are currently updating our password policies to be more ISO complaint and I seem to be hitting a snag. There seems to be little to no guidance on what “not vulnerable to dictionary attacks” really means. From what I can gather, there seem to be 3 different styles of dictionary checkers out there. The lowest style seems to check if the password contains whole words: $password. Kind of a medium style strips all special/numeric characters and checks the remainder against the dictionary: pa$ss$wo$rd. The strongest seems to do a reverse l33t on the password to see if it was dictionary based: p@$$w0rd. All of these are technically dictionary checkers and have obvious security vs. user supportability problems, but out of everyone out there, which style have you implemented? Did you implement it across your entire organization or selected communities (Fac/Staff vs. Students for example).
Feel free to respond to me directly if you don’t wish to expose your inner workings.
Old Dominion University
Senior Security Administrator
4700 Elkhorn Ave - Room 4300
Norfolk, Va, 23529 USA