Actually there is, but for government systems. See the DoD/NSA NCSC Trusted Computer System Evaluation Criteria (TCSEC) C2 Certification, Common Criteria Evaluation and Validation Scheme (CCEVS) (over-rides some of the orange and red book stuff), and the rainbow series (orange and red books).
It's being revised now:
http://www.niap-ccevs.org/cc-scheme/>Hi Kevin,
>
>there's no standard... Password strength actually depends on a number of factors. For instance, when the requirement is that there must be lower case, upper case and digits, most people end up with a password that starts with an upper case character and has the digit at the end. Passwords that do not follow this pattern are often hard to remember. Therefore users will either write it down, or only use slight variations of the password when they need to change it. They also tend to use the same password in various places.
>
>The idea behind a strong password is originally to prevent dictionary attacks. There are lists with hundred of thousands of common words available that tools can use to automate logon attempts. While this seems like a high number it is significantly lower than purely random passwords with the same length. They drastically reduce the number of attempts one needs in a trial and error attack. Hence, to defend against such attacks your system must meet two criteria:
>
>- Passwords should not be in a dictionary
>- Limited number of logon attempts
>
>The second part is the more important part. Whether someone can try thousands of passwords each second, or only a dozen per hour makes quite a difference when trying to break in. You can achieve this by using incrementing pauses after each unsuccessful attempt. Make the user wait 1-2-4-8-16-32 seconds each time they entered a wrong password. Most users will get it right after a few attempts or call an administrator. Automated scripts will be stopped very quickly.
>
>To avoid dictionary attacks a common approach to avoid hard to remember passwords are pass phrases. User enter a simple sentence like this one instead of a password. You can also combine two or three words which greatly increases security as well. A password such as "apple sun part" is easy to remember, but still a secure one (too long for brute force, no easy dictionary attack).
.·*´¨)
.·`TCH
(..·*
010000110101001101101000011000010111001001110000010011110111001001000010011101010111001101110100
"When the debate is lost, slander becomes the tool of the loser." - Socrates
Vita contingit, Vive cum eo. (Life Happens, Live With it.)
"Life is not measured by the number of breaths we take, but by the moments that take our breath away." -- author unknown
"De omnibus dubitandum"
