Why Read This
Protecting access to information technology assets by using passwords is as old as the concept of IT security itself. Today, passwords remain a popular means of authentication. Each service guarded by user passwords has a password policy that determines the strength of the password against brute-force attacks. Establishing the right password policy for your organization requires you to understand your risk profile as well as the fundamental information-theoretical concepts that determine the password strength. This report breaks down these concepts in the framework of the National Institute of Standards and Technologies' (NIST's) authentication levels. Information security professionals can adapt the fundamentals to their policy work to determine the appropriate password length and fail-retry limit for the risk they are facing.