The current password strength policy is insufficient and does not function the way an admin expects when configuring.
There are 5 password strengths: None, Low, Fair, Good and Excellent
None: Non-empty password required
Low: Must have the minimum number of characters
Fair: Must have the minimum number of characters AND contain Lower case (a-z), upper case (A-Z) and numbers (0-9)
Good: Must have the minimum number of characters AND contain any three of the following:
- Special characters (!@#$%^&*)
- Lower case (a-z), upper case (A-Z) and numbers (0-9)
Excellent: Must have the minimum number of characters AND have no more than 2 identical characters in a row AND contain any three of the following:
- Special characters (!@#$%^&*)
- Lower case (a-z), upper case (A-Z) and numbers (0-9)
The “Good” policy is basically useless and does not perform what an admin expects when they look at this. Rather than requiring special characters IN ADDITION to Lower case (a-z), upper case (A-Z) and numbers (0-9) requirements you can essentially use a password without a special character that meets the Fair policy and also use it for the Good policy without any issues.
I would like this password strength policy to be updated to either:
- Good Policy enforces the special characters
OR
- Fair policy requires 3 of 4 [Lower case (a-z), upper case (A-Z), numbers (0-9), special characters (!@#$%^&)] AND the Good Policy requires ALL OF [Lower case (a-z), upper case (A-Z), numbers (0-9), special characters (!@#$%^&)]