July 14, 2021

PCI Password Composition Policy

What do people think about how robust the PCI password requirements are? The organization I work for follows them and implements an 8 character minimum with upper/lower/number and/or symbol. That requirement is for non-admin internal users. It does not, however, make any mention of commonly used dictionary words or personal information. I would think that even with digits and symbols, if you still compose your password largely with an actual word of some kind that that would leave you vulnerable to a dictionary or bicycle attack, no? Just curious, as the current policy seems like it could be more sound.



For what it’s worth, I’m not fond of password complexity requirements at all. If people have a bad password, that’s part of a broader bad practice. Requirements will force them to make their password only marginally more secure (how many of you added an exclamation mark to the beginning or end of a password that requires symbols back when you had Bad Password Practices? *raises hand*).

I’m much more interested in the work done by a few companies that have a short blurb next to their password change or password set field which explains that passwords shouldn’t be reused (my main beef), and in very rare cases, they also provide a link to security recommendations for how modern ‘secure’ passwords should be generated and managed. This encourages a change in practice, rather than the bare minimum conformance to get by. I was really impressed with a lesser-known cloud provider for going to that length recently.

We’ll see how that plays out in the long run, of course. Perhaps it allows people who fall behind to stay behind, which isn’t good either. But I haven’t had any trouble convincing the average person that basic security is a good thing to be thoughtful and proactive about in… years.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.