For the past few years my company has been using a password policy that I crafted based on reading various online tech articles. Our current policy is to require password changes every 4 months, to require an 8 character minimum and to require the standard Microsoft complexity (3 of the following 4: Capital letter, lowercase letter, number and alphanumeric).
The design of this policy will supposedly protect us against a brute force attack. Such an attack will allegedly take 4 months to run through every possible combination of characters in a complex password with a length of 8 characters.
I would like to increase the complexity of the password in exchange for an increased password age of 6 months. Every time a password cycle hits we have a rash of issues with users forgetting their new password, their mobile phones' email not working because of their cache needing to be cleared (battery removal trick) or some other password related issues.
The question is: what minimum password length would be required to maintain the same level of security at a 6 month maximum password age?
If the formula is a linear one, I would think it would be:
(8-characters) * (6-months) / (4-months) = 12 characters
But, I'm not confident in my simple assumptions.