After an internal penetration test showed that short employee passwords were cracked in minutes, management wants to update the corporate password policy. Which revised requirement BEST aligns with common enterprise standards for stronger user credentials?
Set a minimum of 12 characters and require at least three of the following: uppercase letter, lowercase letter, number, symbol
Implement 6-digit numeric PINs that must be changed every 90 days
Require 12-character passwords composed only of lowercase letters
Keep the current complexity rules but lower the minimum length to 8 characters
Longer passwords that include multiple character classes drastically increase the keyspace, making brute-force and dictionary attacks far slower. Requiring 12+ characters and at least three of the four character types (uppercase, lowercase, digit, symbol) is consistent with many higher-education and corporate standards. By contrast, keeping an eight-character minimum, limiting characters to lowercase only, or relying on a short numeric PIN still leaves passwords vulnerable to automated guessing tools.
Michigan Tech's published standard requires a minimum of 12 characters and at least three character classes.
CISA guidance urges long, random, mixed-character passwords and highlights that short or simple strings are easily cracked.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a brute-force attack?
Open an interactive chat with Bash
Why is enforcing password complexity important?
Open an interactive chat with Bash
What are dictionary attacks, and how do they work?