You get a hacked, so you bring your password policy roaring into the 1990s. Please feel free to pass this on to whoever designed this new policy or the twat that signed it off. I will be looking for a new provider.
From https://www.ncsc.gov.uk/collection/passwords/updating-your-approach <https://www.ncsc.gov.uk/collection/passwords/updating-your-approach>
Don't enforce regular password expiry
Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.
Forcing password expiry carries no real benefits because:
the user is likely to choose new passwords that are only minor variations of the old
stolen passwords are generally exploited immediately
resetting the password gives you no information about whether a compromise has occurred
an attacker with access to the account will probably also receive the request to reset the password
if compromised via insecure storage, the attacker will be able to find the new password in the same place
and also:
Do not use complexity requirements
Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Additionally, complexity requirements provide no defence against common attack types such as social engineering or insecure storage of passwords.
For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords. The use of technical controls to defend against automated guessing attacks is far more effective than relying on users to generate (and remember) complex passwords. However, you should specify a minimum password length, to prevent very short passwords from being used. Avoid using any maximum length requirements that a user might try to exceed, as they will make it harder for users to choose a suitable password that fits the length criteria. Password length should only be capped by the capabilities of your system. Be aware that enforcing excessively long passwords will introduce other burdens (such as time taken to enter passwords, and the increased likelihood of mistyping especially on touch screen devices). Adopting the 'three random words <https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0>' technique can help users to use suitably complex passphrases that they can actually remember.
From NIST SP 800 63B:
http://3.1.1.2 Password Verifiers <https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver>
The following requirements apply to passwords:
Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] <https://pages.nist.gov/800-63-4/sp800-63b.html#ref-RFC20> characters and the space character in passwords.
Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] <https://pages.nist.gov/800-63-4/sp800-63b.html#ref-ISOIEC10646> characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
