1

Possible Duplicate:
XKCD #936: Short complex password, or long dictionary passphrase?

Im developing a website and am curious as to the current trends in the nature of passwords. Is it good to force users to use a letter, a capital, a number, a special character ... etc... Does this encourage users to make stronger passwords or it is just an encumbrance? Currently i am thinking about a min length and for it to be in ascii. Any of the other things worth using?

Community
  • 1
ryno
  • 119
  • 2

2 Answers2

2

Based on the Anderson formula -> http://joebi.blogspot.com/2006/12/how-to-defend-password-guessing.html

The most important thing is the password length, the second most important thing is the number of possible signs/letters/numbers.

If you want to enforce minimum 20 password length - you will be allright with just letters.

20^24 = 16777216000000000000000000000000

If less than that but more than 15 you will be ok with alphanumerics.

15^34 = 9707397373664756887592375278472900390625

What is often overlooked is phisical password security - hard to remember password will be often written on a post-it note, or can be easily recognized when someone is looking above your shoulder because you will type it slowly and carefuly. I prefer longer passwords with multiple words that are easy to remember.

iwillnevertellyouthepassword - is unbreakable at this time and you will remember it more easily than $%FD#sffe2e

mnmnc
  • 370
  • 2
  • 8
0

I believe it is certainly appropriate to set restrictions on passwords. But it depends on what you are trying to protect!

Depending on what information your site (and its authentication system) is guarding. You might be able to get away with setting restrictions to:

min_length = 6 and never expire. While not requiring any form of special characters at all.

But if the site is going to be holding really sensitive information that you should set much tight restrictions.

The security settings on your site should be commensurate with the importance of the data they are protecting.

That being said, you can go to far. Requiring a password that is 32 characters long and forcing a change every 10 days is going to anger user, encourage them to write the password down or perhaps not even bother using the site (find something else)..

In summary - The last recommendation I remember reading (don't have a link for you) was 12 characters minimum with At least 1 number or special character. Also, consider implementing a system that disables an account for a set length of time (30 minutes, 2 hours, whatever) after x amount of failed logins.

hope this helps..

MCR
  • 101
  • 1