...
Note: The above recommendations closely mirror the recommendations from Microsoft 8.
What is the current Synapse Password Policy?
...
As one group of researches points even weak passwords are secure when there is a limit on the number of failed attempts 10. This is why bank card PIN numbers are secure even though they only have 13 bits of entropy. With an enforced exponential backoff for failed attempts an attacker will have less than a dozen attempts per year. With so few attempts only the most common passwords would be hacked. A system that blocks users from selecting the most common passwords combined with exponential backoff would be secure even when users choose "weak" passwords.
References
Carnavalet, Xavier et al "A Large-Scale Evaluation of High-Impact Password Strength Meters" madiba.encs.concordia.ca, 2015.Anchor 1 1
Zhang, Yinqian et al "The Security of Modern Password Expiration: A n Algorithmic Framework and Empirical Analysis" cs.unc.edu, 2010.Anchor 2 2 - Schneier, Bruce "Real-World Passwords" schneier.com,
- Goodin, Dan "Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”" arstechnica.com, 2013.
- Schneier, Bruce "Choosing Secure Passwords" schneier.com, 2014.
- Bonneau, Joseph et al "Passwords and the Evolution of Imperfect Authentication" jbonneau.com
- Wheeler, Daniel "zxcvbn : Low-Budget Password Strength Estimation" usenix.org August 10–12, 2016
Hicock, Robyn "Microsoft Password Guidance" microsoft.comAnchor 8 8 - Egelman, Serge et al "Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection" microsoft.com
- Florencio, Dinei et al "Do Strong Web Passwords Accomplish Anything?" microsoft.com
- Goodin, Dan "How the Bible and YouTube are fueling the next frontier of password cracking" arstechnica.com, 2013
...