Recently, Microsoft published a new password policy recommendation papercontaining advice that flies in the face of conventional wisdom on the subject. Some of the contrarian viewpoints include:
- Eliminate long password requirements
- Eliminate complexity requirements
- Do away with password life expirations
Along with this unconventional advice comes a bunch of useful suggestions:
- Ban common passwords
- Eliminate password reuse
- Enforce multifactor authentication
- Enable risk-based, multifactor authentication challenges
