Minimum password length required by AR 25-2?

Answer 1

10 characters minimum

15 or more is recommended

According to AR 25-2, Section IV, paragraph 4-12 b:

The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.

BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:

(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).

(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.

From these two documents it would appear that the 10 character minimum is an outdated recommendation.

From this it would appear that the frequently repeated "8 character minimum" is outdated. Note that the only conditions where an 8 character password is allowed is:

(8) The use of eight character passwords are authorized when:

(I) The password generated is a purely random-generated authenticator from the complete alpha/numeric and special character sets and no user-configured passwords can replace, be generated, or accepted in lieu of the generated password. (For example: Credentialing system issues randomly generated authenticator AND enforce use of that authenticator to network resources.)

Or:

(II) Access to private applications is conducted over an approved 128-bit encrypted session between systems, and the application does not enforce local user access credentialing to a local network resources. (For example: User accesses local LAN connected system through traditional access procedures then accesses a web portal application over an SSL connection; the web portal password may be 8 characters.)

--- from 04-IA-O-0001, paragraph 5A

Answer 2

According to AR 25-2, Section IV, paragraph 4-12 b:

The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.

BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:

(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).

(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.

From this it would appear that the frequently repeated "8 character minimum" is outdated. Note that the only conditions where an 8 character password is allowed is:

(8) The use of eight character passwords are authorized when:

(I) The password generated is a purely random-generated authenticator from the complete alpha/numeric and special character sets and no user-configured passwords can replace, be generated, or accepted in lieu of the generated password. (For example: Credentialing system issues randomly generated authenticator AND enforce use of that authenticator to network resources.)

Or:

(II) Access to private applications is conducted over an approved 128-bit encrypted session between systems, and the application does not enforce local user access credentialing to a local network resources. (For example: User accesses local LAN connected system through traditional access procedures then accesses a web portal application over an SSL connection; the web portal password may be 8 characters.)

--- from 04-IA-O-0001, paragraph 5A

Answer 3

According to AR 25-2, Section IV, paragraph 4-12 b:

The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.

BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:

(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).

(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.

From this it would appear that the frequently repeated "8 character minimum" is outdated.

Answer 4

According to AR 25-2, Section IV, paragraph 4-12 b:

The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.

BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:

(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).

(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.

.

.

.

(6) The password will be a mix of uppercase letters, lowercase letters, numbers, and special characters with a minimum of characters as follows:

a. Contains at least 2 uppercase characters: A, B, C etc.

b. Contains at least 2 lowercase characters: a, b, c, etc.

c. Contains at least 2 numbers: 1,2,3,4,5,6,7,8,9,0

d. Contains at least 2 special characters, i.e. ! @ # $ % ^ & * ( ) _ + | ~ - = \ ` { } [ ] : " ; ' < > ? , . /

(7) Passwords will not have the following characteristics:

a. Is a word found in any dictionary, thesaurus, or list (English or foreign)

b. Is any common usage word or reference such as:

(I) Names of family, pets, friends, co-workers, fantasy characters, etc.

(II) Computer terms and names, commands, sites, companies, hardware, software.

(III) Common words such as; "sanjose", "sanfran" or other derivative.

(IV) Birthdays, addresses, phone numbers, or other personal information.

(V) Word or number patterns like; aaabbb, qwerty, mypassword, abcde12345.

(VI) Any of the above spelled backwards.

(VII) Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

(VIII) Social security numbers (SSNs).

(IX) USERID

(X) Military slang, acronyms, or descriptors or call signs.

(XI) System identification.

(8) The use of eight character passwords are authorized when:

(I) The password generated is a purely random-generated authenticator from the complete alpha/numeric and special character sets and no user-configured passwords can replace, be generated, or accepted in lieu of the generated password. (For example: Credentialing system issues randomly generated authenticator AND enforce use of that authenticator to network resources.)

Or:

(II) Access to private applications is conducted over an approved 128-bit encrypted session between systems, and the application does not enforce local user access credentialing to a local network resources. (For example: User accesses local LAN connected system through traditional access procedures then accesses a web portal application over an SSL connection; the web portal password may be 8 characters.)

So under normal circumstances, the minimum password length for privileged accounts must be 15 characters long and normal limited privilege user accounts must be 14 characters long. In both cases, the password complexity must comply with paragraphs (6) and (7) above.

Answer 5

AR 25-2 does not actually specify password length but the Army password requirements (from BBP 04-IA-O-0001 which AR 25-2 specifies should be followed) are:

• All system-level accounts and privileged-level accounts using passwords will be a minimum of 15-characters long and changed every 60 days
• All user-level accounts using passwords will be at least 14-characters long and changed every 60 days
• All passwords will be strong passwords containing the following characteristics:
• • at least two numbers
  • at least two special characters
  • at least two upper-case characters
  • at least two lower-case characters
• The password history will be set to 10
• The password Observation Window account lockout setting will be set to no more than 60 minutes with a lockout duration set to 0, and the number of attempts set to 3. A system administrator is to unlock the account when needed.
• Disable "Remember Password" features built into applications.
• SA/NM's will test accounts utilizing passwords for password weakness at least quarterly by using a password cracker

Answer 6

Minimum 15 characters.