The Business Case for Increasing Minimum Password Lengths
I love getting root. I also love looking for other people getting root. What I don’t love doing is telling how they can stop other people from getting that sweet sweet root. I know I’m not alone but unfortunately this is what gets many InfoSec folks paid. InfoSec folks have to explain to lay people how to make things more secure in a way that is easy to understand. For many this doesn’t come easily. Your root can be the sweetest root, but if you can’t explain to others why and how it needs to be fixed then you’ve arguably failed as an InfoSec professional. I’ve recently been in this situation. I’ve needed to justify to senior leadership increasing the minimum password length for Active Directory domain from the default 8 characters to 14. This was a tough sell because users don’t like long passwords. They’re considered harder to remember and a pain to have to enter every time they want to log in. To make this seemingly bitter pill easier to swallow, I also recommended that the maxi