An article this week on arstechnica.com highlighted an innovative new approach to password security at Stanford University. The policy is aimed at dynamically imposing requirements for password complexity based on the length the user chooses for their password, so that "short passwords must pass additional checks designed to flag common or weak passcodes (presumably choices such as "P@ssw0rd1", which can usually be cracked in a matter of seconds). The standards gradually reduce the character complexity requirements when lengths reach 12, 16, or 20 characters. At the other end of the spectrum, passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case."
This is an encouraging development on top of being a novel approach - passwords are so common that they won't be going away any time soon, and most password policies leave users extremely vulnerable and/or frustrated. Acknowledging that passwords will be part of a security strategy, but leaving a "one size fits all" set of requirements behind, this kind of policy both encourages users to create easy to remember, but more secure passwords, and applies rules based on choices made by the user. This is the kind of policy other organizations should look at to extend the value and lifespan of password requirements for their users. In closing, the author states "The elegance of Stanford's policy is that it eschews the one-size-fits-all approach most websites and networks take when attempting to ensure their users choose strong passwords. By offering increased flexibility, there's a better likelihood that people connecting to University services will remain secure. In an age when passwords have never been weaker and crackers have never been stronger, that's enlightenment indeed."