This document is a work in progress!
Purpose and Scope
This wiki page is SWAMIDs recommendations on password complexity and password guessing rate limiting. In the page we discuss how to create an environment that creates a resonable security level to fulfill both SWAMID Identity Assurance Level 1 Profile and the forthcoming SWAMID Identity Assurance Level 2 Profile.
Determining password strength
There are two factors to consider in determining password strength:
- the average number of guesses the attacker must test to find the correct password and
- the ease and speed of which an attacker can check the validity of each guessed password.
The first factor is determined by how long the password is, how large set of characters or symbols that be used in the password, if a combination of both lower, upper and non alphabetic characters is used and whether the password is created randomly or created by the user himself. There is a trade of regarding demanding a high complexity and the users ability to remember the password.
The second factor is the rate at which an attacker can submit passwords guesses to the system. If some kind of rate limiting is used the need for password complexity greatly redused in online scenarios. However the identity management system must store information about the user passwords in some form and if that information is stolen, say by breaching system security, the less complex passwords can be at greater risk.