Password Policy
SWITCH edu-ID passwords must meet the following requirements:
- Minimum length: The passwort must consist of at least 12 characters.
- Complexity: Depending on the length of the password, several character classes must be used (lower case character, uppercase characters, digits, punctuation symbols)
- Patterns: The password must not contain repetetive characters (e.g. "aaaa", "1111"), sequences (e.g. "1234", "abcde") and common keyboard patterns (e.g. "qwertz", "asdf")
- Leaked passwords: Passwords must not be in the Have I been Pwned Passwords database of more than 600 million leaked passwords. The passwords are securely checked via k-anonymity API.
As suggested by the NIST standard (see below), no periodic password change is required.
Recommendations to Users of SWITCH edu-ID
- Use a password manager (like Bitwarden, LastPass, PassSafe, 1Password or KeePass)
- Choose a long password, e.g using the hints on the iBarry web page.
- Don't re-use a password across multiple websites
- Activate Two-Step Login (multi factor authentication)
NIST Recommendations and Further References
- NIST SP 800-63B Digital Identity Guidelines - Authentication and Lifecycle Management, June 2017: https://pages.nist.gov/800-63-3/sp800-63b.html in particular Recommendations for memorized Secrets
- REFEDS: SFA Minimum Requirements specification