We require 16 characters, and we hash check all passwords against the haveIbeenpawnd database. We removed the regular expressions with normalization and fuzzy logic because almost all of the password combinations already exist in the database. We had lots of complaints about the difficulty in picking a password, so we also created a mechanism which explains why a password fails validation.

We haven't looked at full passwordless authentication, and we use risk based authentication for MFA prompts.

On Wed, Apr 3, 2024 at 11:11 AM James Wilkinson via USHE-ISO <ushe-iso@lists.dixie.edu> wrote:

Can I get a quick poll on what the minimum length everyone is requiring for students?

 

And possibly if anyone has considered going “passwordless?”

 

James Wilkinson | SLCC

 

--
USHE-ISO mailing list
USHE-ISO@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-iso