password rule for a casual website

views:

170

answers:

+6 Q:

password rule for a casual website

Hey,

I am considering using the following rules for a casual website.

8-20 chars long
valid chars include letters, digits, and symbols
case sensitive

that's all. My question is, beside white space, is there other symbol that I should consider as "illegal"? Please keep in mind that it is a casual website so I don't need any password policy that is very restricted.

Thanks,

+7 A:

You should let your users have whatever password they like. Maybe enforce a minimum length, but nothing else. You're sanitizing this before it hits your database anyway, right?

Anon. 2010-01-19 00:11:38

Thanks, what you described makes sense to me now. Yeah, I will remove all the requirements except the restrictions on length. And yeah I will sanitize all the input prior to store them in the database.

sean717 2010-01-19 00:18:10

+1 for sanitize

Rubens Farias 2010-01-19 00:18:32

As RCC notes, you shouldn't be storing the password itself anyway. Hash it first.

Anon. 2010-01-19 00:39:45

+2 A:

Why would you want illegal characters? As long as it doesn't break any parts of your system (which it shouldn't), there's no real reason to reject it.

Yuliy 2010-01-19 00:11:47

I would go from the other way around: don't reject invalid characters (you might forget to reject some) - instead check that every character is an allowed character.

Bandi-T 2010-01-19 00:14:28

+17 A:

Hopefully you are not storing passwords in your database. You should be storing the hash of the password only.

So, if you are creating a hash out of the password, why have any illegal characters?

You may want to enforce a minimum password length, just for their own protection.

Even if you do restrict characters, why would you consider white space an illegal character? Many users create "pass phrases" to secure their passwords.

Robert Cartaino 2010-01-19 00:15:22

IMO, every site should treat passwords like they are diamonds. You never know when a user will use their bank password for some 'casual' web site and your site becomes the way they broken open. Be a good citizen and realize by asking for a password, you are asking for trust.

Jim Leonardo 2010-01-19 00:18:43

thanks, the max password length will be removed too. The only restriction for the password will be "minimum 8 chars long"

sean717 2010-01-19 00:22:06

@Jim Leonardo ...and the way to accomplish that is to *never* store a password in your database. No encryption, no lock-and-key trust. Hashes **only**.

Robert Cartaino 2010-01-19 00:22:55

@Robert C Cartaino - Yes... exactly. The only responsible way to deal with passwords is hashing them. When a site can return your password to you when you forget it, it's a *bad* sign.

Jim Leonardo 2010-01-19 00:25:08

@Jim Leonardo - A bad sign, yes. Doubly so because your recovered password is being broadcast across the Internet in a clear-text email.

Robert Cartaino 2010-01-19 00:29:23

Don't forget to add (really random) salt! (Aren't there systems for this sort of thing?)

Tom Hawtin - tackline 2010-01-19 00:37:09

@Tom: I believe ASP.NET's built in system provides the salting by default.

keyboardP 2010-01-19 00:57:24

Yay for .Net...

Tom Hawtin - tackline 2010-01-19 01:44:04

The site http://www.passwordfail.com/ (no affiliation) is now tracking websites that send out plain text passwords either when you register or change your password.

notJim 2010-01-19 01:45:58

+2 A:

Why do you want to limit passwords to 20 characters? A minimum encourages users to select harder to guess phrases, but why limit it?

Same goes for limiting the characters which can be used. Why restrict it at all?

Despite your website being casual, it is bad practice to store passwords in plaintext form. At the very least, concatenate some salt (such as the username plus some constant string for your site), and store the SHA-1 hash of it. Since users tend to use the same passwords at multiple sites, this provides a nice measure of protection against cross site hacking should your site's passwords be hijacked.

wallyk 2010-01-19 00:16:18

+1 A:

How about getting out of the password business and using Open ID like SO uses?

Jim Leonardo 2010-01-19 00:19:37

Please don't encourage OpenID. Ignore them until they go away, and with luck something useful will replace them.

Jason Kester 2010-01-19 00:22:23

Please encourage OpenID. Hopefully they will get noticed and we'll have competition to create a better and more widespread system.

Tom Hawtin - tackline 2010-01-19 00:41:39

+1 A:

Most sites either require 6+ characters, or have no minimum limit. While 6 is not very secure, it probably doesn't matter too much since it's a casual website. You should probably allow passwords as short as 6 characters, to make the users happier if they want shorter passwords.

I see no reason to disallow any particular characters. A lot of sites only allow alphanumeric characters, but I don't know why. Just make sure that the characters won't interfere with the website source code, and you should be fine.

Michael Dickens 2010-01-19 00:20:47

Don't do that. 8 characters is way too long for a casual site, and users are fickle. Any requirement whatsoever that you place on password complexity will lose you users.

Unless you're a bank, you shouldn't be enforcing password complexity of any sort. If a user wants the letter 'a' as his password, let him go for it. When he finds that some malicious entity is shortening urls in his name (or whatever your site does), he can deal with it and possibly learn a good lesson.

The important thing to remember is that it's not your problem, and you can only piss people off by enforcing complexity.

Jason Kester 2010-01-19 00:21:07

It does become your problem when your reputation is smudged because hackers have gained account to your user's passwords.

keyboardP 2010-01-19 00:39:40

ansaurus

tags:

views:

answers:

password rule for a casual website

related questions