Web site password policy

What’s your websites password policy? 5 characters? 6 characters including upper/lower case and numbers? How did you choose the policy? Did the IT department think it would be a good idea? Is it based on requirements set by Information Security?

This single subject alone fills up more of my inbox than any other. Here’s the situation. We have a policy that is based on the risk profile of a web product (because as an organisation we have hundreds of web products varying from sites such as LexisNexis to Variety and TotalJobs. No single black and white policy alone can cater for the huge variation in risk that we have between different web products, and even where we can categorise products under same profile there can still be difficulty in implementing a policy. For instance: what should you do if the people making use of the product are children?

The issue has come up again because we’ve reviewed one particular product and noted that the implementation of passwords is less than what I would deem sufficient. Here is a snippet from my response:

…shouldn’t focus on credential strength but instead on the data that is being accessed. So, for instance, if weak credentials are being used as a matter of customer requirements then the accounts in question MUST not – business requirements or not – have access to confidential data.

I think that this is a good pragmatic approach. We have to take into account what customers are willing to do to get to particular data but we also have a duty to protect private information. So while some customers might complain about having to enter more complex passwords to access information, it’s something that’s necessary and important until we come up with better methods of authentication.

Of course, this conversation can easily lead onto other subjects such as making use of other form factors for authentication and I wish that this was something we had a definitive, cheap, easy to use, easy to manage, secure, standard for. As we all know too well, in the world of security trade offs you can have cheap and secure but it will be difficult to use or you can have easy to use and secure but it will be too complex!

What’s your feedback and thoughts on this subject?