Skip to content Skip to footer

Stanford Password Policy Explained

Back in April 2014, Stanford University created a password policy which let end-users determine the level of complexity for their own password. Shorter passwords will result in an end-user using more character types and longer passwords will result in an end-user using fewer character types.

Here is the breakdown of the Stanford Password Policy:

Stanford University reports that passwords over 20 characters are the gold standard and offer the most protection for your account. Longer passwords are more secure and take a longer amount of time for hackers to obtain your password. Due to brute force attacks and rainbow tables, passwords need to be a minimum of 15 characters in length. For more information about how passwords get hacked, read more here.

  • 8-11 character passwords require the use of upper case, lower case, numeric, and special characters
  • 12-15 character passwords require the use of upper case, lower case, and numeric characters
  • 16-19 character passwords require upper and lower case characters
  • 20+ characters require lower case characters

Furthermore, being that passwords greater than 15 characters do not require numeric or special characters, passwords that are compliant with the Stanford Password Policy are easily entered into mobile devices. There is no need to switch to different keyboards on a mobile device to enter in numeric or special characters.

Stanford University also recommends an easy way to create a password. You will need to think of four common words and place them together (paper watermelon purse bike). These four words put together with spaces is 27 characters and without spaces is 24 characters. At nFront Security, we recommend that our customers use dictionary checking for their password policy. Most hacked passwords include a common dictionary word. However, we also offer a feature with the nFront Password Filter to disable dictionary checking for passwords longer than a designated character length. From research, it is safe to disable dictionary checking for passwords that are longer than the targeted length in brute force and rainbow table hacking attempts. We recommend disabling this for passwords 15 characters or longer to promote the use of passphrases.

Using the nFront Password Filter, there is a single checkbox option for enforcing the Stanford Password Policy. All you will need to do is select the box that reads “Enforce Stanford Password Policy” and the policy will be effective for your entire Active Directory.

Using the Stanford Password Policy is a secure and easy way to ensure that your network is protected and end-users are creating smart password choices. Implement today with one easy step!