10

If you try creating an account using your smartphone, these platforms don't seem to have strong password requirements. They both enforce a minimum 6 character limit and nothing else (I did however notice Twitter seems to filter out certain passwords like 111111 whereas this is a legitimate password on Facebook).

I can understand that enforcing strict rules such as uppercase, lowercase, number, and symbol can frustrate users and make passwords less memorable. However, I'm not convinced how the current password validation (or lack thereof) is a better choice.

Why do these apps not enforce the aforementioned guidelines? If I'm creating a new app now, how should I approach this problem?

user246392
  • 251
  • 2
  • 6
  • 1
    related: [Facebook allows password + any character](https://security.stackexchange.com/questions/146763/facebook-allows-password-any-character), [Facebook password lowercase and uppercase](https://security.stackexchange.com/questions/68013/facebook-password-lowercase-and-uppercase/). – Steffen Ullrich Nov 04 '18 at 17:04
  • 2
    The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know. – Steffen Ullrich Nov 04 '18 at 17:05
  • 1
    Possible duplicate of [what are good requirements for a password](https://security.stackexchange.com/questions/29836/what-are-good-requirements-for-a-password), [Recommended policy on password complexity](https://security.stackexchange.com/questions/3248/recommended-policy-on-password-complexity), [Are password complexity rules counterproductive?](https://security.stackexchange.com/questions/32222/are-password-complexity-rules-counterproductive), [Why do password strength requirements exist?](https://security.stackexchange.com/questions/16455/why-do-password-strength-requirements-exist). – Steffen Ullrich Nov 04 '18 at 17:08
  • 1
    This post provides some clues: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ In short: password complexity requirements can make things worse in practice, esp. in large systems like the ones in the Q. – buherator Nov 04 '18 at 20:08

1 Answers1

6

Facebook and Twitter have very...specific, controversial security postures. They serve a broad market and the security space does not always appreciate everything they do. My recommendation for an app you're building might be not to follow Facebook and Twitter's examples in terms of security.

For resources, I recommend looking to OWASP first. If you're not familiar with OWASP, they're a collection of application security methods and best practices, giving visibility on the whole lifecycle - from conception and design through to pentesting. They lead the appsec industry and speak with a huge amount of (well-earned) authority.

All that being said, definitely checkout OWASP's information on password strength controls. If you're looking for help with password strength implementation, hopefully that should sort you out. (And while you're there, have a look at the OWASP top 10 for other helpful tips when it comes to building your app.)

Great question by the way. Good luck with the app!

securityOrange
  • 913
  • 4
  • 12
  • 25
    Can you tell us more about their very specific, controversial security postures? – Michael Hampton Nov 04 '18 at 19:24
  • Absolutely. One comment isn't quite enough to be comprehensive, but the gist of it is that these (and similar) companies are quite secure in some regards, insecure in others, and generally may or may not take best practices into account. In particular, Facebook's posture is complex to say the least. – securityOrange Nov 05 '18 at 01:03
  • 1
    For a more comprehensive answer, I'd direct you to [Zuckerberg's Senate hearings](https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/?utm_term=.a7e5c05adc15). Or, if not to the hearings, then I'd point you to [Facebook's recent breach of 50 million accounts](https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html). Or, if not that breach, then I'd point you to the fact that [Pew found 67% of all tweeted links to be from bots](http://www.pewresearch.org/fact-tank/2018/04/09/5-things-to-know-about-bots-on-twitter/). – securityOrange Nov 05 '18 at 01:15
  • @MichaelHampton Hope this helped, and let me know if you have any other questions. I wish there was more room for longer answers - it's an interesting, rabbit hole-y topic. – securityOrange Nov 05 '18 at 01:16
  • 3
    You've got plenty of room for it! Your answer is only 4% of the maximum length... It's better to edit your answer anyway, as comments are only temporary. – Michael Hampton Nov 05 '18 at 01:59