ABSTRACT
Although many organizations have aggressive password controls in place, adopting the most restrictive
and “secure” password policy does not always serve the needs of the business. In fact, excessive password
policies can cause unintended business and security problems. This chapter focuses on the blended threat
of password attacks, documents the approach taken by this project, and the specific password policy
modeling, research, and analysis performed to determine an optimum password policy. Additionally,
analysis of password and authentication attacks is detailed, with compensating controls. Appropriate
compensating controls are recommended for increasing password and access control strength, focusing
on high-impact, low-cost measures.