This report was inspired by a number of customer inquiries that I had recently on mobile password policies. It struck me that few IT organizations actually understood the fundamental rationale behind password policies - length and complexity of passwords, number of password retries, and password lifetime. This is perhaps because we take user passwords, one of the most basic security controls, for granted, and hence don't think about it too deeply. Because it is such a prevalent security control, and because many organizations don't have much beyond user passwords, it is high time we understand why we set a particular password policy and whether that works for our particular risk profile.
So I set out to write this report - trying to describe the theoretical underpinnings of password properties. For example, if you require that your mobile users use a 6-digit PIN to access their mobile phones, do you know how many PIN fail-retries you should permit but still achieve NIST level one authentication? What about a 6-character alphanumeric password?