Following the guidelines required by NIST SP 800-63B the following requirements have be placed on passwords for Tobii Dynavox Single Sign On accounts.
- 8 character minimum
- Cannot be present on a list consisting of passwords from previous public security breaches, commonly used dictionary words and repetitive or sequential characters. An open source framework (zxcvbn ) is used to score passwords based on these criteria.
- Guidance is offered to the user, in the form of a strength meter & text explaining the reasoning for a password's rejection.
Using zxcvbn, passwords scored as "Not Secure" or "Weak" if they use any of the following:
- common dictionary words
- common names and surnames
- common dates
- straight rows or short keyboard patterns
- sequential characters like "aaa" or repeating characters like "abcabcabc"
- predictable substitutions like '@' instead of 'a' or uppercase letters do not exclude a password from the restrictions
ReferencesNIST.SP.800-63b (Authentication and Lifecycle Management).pdfzxcvbn: Low-Budget Password Strength by Estimation Daniel Lowe Wheeler, Dropbox Inc.