DBOD Password policy

Among the actions resulting from the CERN security audit (2023) are the new Subsidiary Rules concerning Identities, Authentication & Authorization (IAA), in particular (IAA6) Password Protection and (IAA7) 2-Factor Authentication

The rules prescribe reinforcing a password policy complying with NIST 800-63b:

1. password should be at least 15 character long
2. password should have simple or no complexity rules
3. password must not be easy to guess
4. password must not be among exploited passwords (disclosed in the public domain)

and some additional measures:

1. password must expire at least once per year
2. an emergency credential/password reset should be ready to be triggered at any time
3. login/logouts and relevant DDL operations, should be audited and accessible for at least 13 months

DBOD team is actively working at preparing the policy implementation along 2026. Further information and announcement will follow at the right time.