Users that create easily guessable password are at risk of having their account compromised.
In an effort to protect users from having their account compromised, Password Policy has been defined that enforces creation of passwords that are not easy to guess and protects against brute force attacks.
Owners or stakeholders of TELUS projects that handle user registration that includes user-created passwords should implement the following password policy:
- Minimum 8 characters in length, no spaces
- Must be alpha-numeric
- Must contain lowercase and uppercase letters
- Account must lockout after 5 unsuccessful login attempts
- Maintain a blacklist for common passwords, including “password”, no userid etc…
- Maintain a history of passwords and require that password cannot be any of recent 5
- Must not include more than 2 repeated alpha or numeric characters
- Must not include numeric or alphabetical sequences beyond 2 characters (e.g., 123, abc, 321, cba)