The Community Blog for Business Analysts

Peter, I think items 1 through 3 in your list are data definitions about the exact properties of the data element called 'password.' Those will lead to functionality needed to test whether a valid password is entered, what to do if it is not, etc.

Your item #4 is actually a business rule, a policy regarding security concerns on this system. That should lead to a number of derived functional requirements, such as what the system does if the user's password has not been changed in the past 60 days.

The BA's job is to derive all the necessary functionality descriptions needed for the system to comply with these data definition attributes and relevant business rules. If the specified requirements stopped with this sort of information, you're just asking someone else, like a developer, to figure out just how to handle those password validations and password change behavior. Someone needs to make those choices.

Indeed. I agree with Karl. The example you served is largely an example of what does not constitute a functional requirement. Though in principle you question should be answered YES. If the main functionality of reusable product is providing security the functional requirements are a MUST.
In the requirements one needs to specify what the tool DOES.
Derived from the requirements Functional Designs might elaborate on implementation details.

For example functional requirements would be:
- System must have a capacity of maintaining 26 billion active accounts.
-System must provide security 1, 2, 3 level logins..
where level 1 is...
level 2 is..
level 3 is
- system must support 12 million concurrent sessions

From the above requirements you derive first the Architectural Design, High Level Designs, and finally Detailed Functional Designs ( though some would say Architecture is a part of HLD ).

In your question you brought an excellent point: what is and what is not functional depends on the context or scope of the project.
In your example 60 days is a policy . But the fact that the system must support expiring of accounts is a functional requirement.

With all views of responses to this question, still I have not seen any clear answer to the user's enquiry from 1 to 3, Are these functional or non-functional? We all know that Security is Non-Functional Requirement, however, in my opinion in the example above as this is an input validation, it becomes an integral part of the system's functionality, so I would say 1 to 3 are functional requirements.

However, it can also be non functional as it refers to specific rules that apply to a system, it might be that you wish to keep the password limited to certain characters, which makes it a rule and nonfunctional requirements, so it all depends on the context of your project actually.

Greg you wrote

For example functional requirements would be:
- System must have a capacity of maintaining 26 billion active accounts.
-System must provide security 1, 2, 3 level logins..
where level 1 is...
level 2 is..
level 3 is
- system must support 12 million concurrent sessions

The Capacity is not a functional requirement
supporting 12 million concurrent sessions is not a functional requirement too