Password Policies: Recent Developments and Possible Appraise


Password advice is constantly circulated by standards agencies, companies, websites and specialists.

Recently, various agencies have issued updated password guidance: NIST, GCHQ. We categorised over 250 pieces of password advice and found great diversity in the advice that is given. In some cases, the advice we collected contradicted the results of established password security research.

In this talk we review some of the updated guidance and describe the findings from our study. We will discuss both in relation to modern password research.