One of the most annoying things to me is when a website will attempt to “improve security” and think they are helping out the end-user by requiring a password to be a certain length, contain certain symbols, or pass a strength meter– but then get lazy on their coding and cannot/won’t allow for special characters such as ^%#, etc.
For one, it should be totally up to the user what password they have, if they want to use the password “pass”, then let them. It’s their own fault. I totally support those password strength meters, but I don’t think you should require them to be strong. This leads to users having to have completely different passwords for numerous things which then lead to them forgetting them, or worse yet writing them down on paper. How is that improving security at all?
The same could be said about requring a user to change their password every X days, or requiring them to have special characters in their password like it cannot start with a number or must have one capital letter.
I understand wanting your users to have strong passwords, especially if your promote that you require all users to have 1 letter, 1 lowercase, and 1 uppsercase a potiential cracker might be put off as bruteforcing a-z,A-Z,0-9 takes a whole lot longer than just a-z.
One of the worse examples of a password field I have seen is strangly enough from one of my personal bank accounts. They require 1 number and 1 uppercase letter, and atleast 8 characters. Seems pretty normal and good practice so far right? well the password cannot contain any special characters and cannot exceed 14 characters. Why? I guess, maybe i’ll understand if your lazy and dont feel like escaping and account for special characters in the passwords, but why limit it to only 14 characters?
As an amateur software programmer, and power end-user here is my list of Do’s and Don’ts for web designers:
DO:
- Create a real-time password strength meter. Don’t just base it on just length, but also on variety. A 10 character password consisting of just numbers can be cracked very very very fast compared to 8 character password consisting of upper and lowercase letters, numbers, and symbols.
DONT:
- Require them to have a strong password, only give them the information about how strong/weak it is.
DO:
- Require a mininum length for the password. The highest miminum i’d ever require would be 5. The lowest I’d ever require is 3. A 1 character password would be laughable.
DONT:
- Never require a high mininum length such as 7 or 8. Yes, I know 8 characters is the dropoff between a bruteforce attack to take 1 day to 1 year, that doesn’t mean you should require it. If your users pick easy passwords, that’s on them.
DONT:
- Set a maxium length for a password. I know this is hard to do sometimes, as having a 200 character password would wreak havoc in a lot of systems. I think the lowest maxium should be around 20 or 25. I personally use a 15-17 character password depending on, so they do exist.
DO:
- Allow for a-z A-Z 0-9 and `~!@#$%^&*()_+-={}|[]\:”<>?/.,;’. Don’t be lazy and avoid the symbols because it requires more coding/escaping on the backend. I probably wouldn’t allow for foreign characters or alt-codes, but it would depend on how well the backend could handle it. See my idea on a website specifically designed for this: ________
DONT:
- Require special squences or characters such as 1 lowercase and 1 uppercase, or must begin with a letter. I know it’s more secure, but don’t force it on users.
DONT:
- Expire passwords after so many days. I never once met someone who ever liked this idea, not even techs because it results in people writing passwords down and/or forgetting them, which results in more support calls/help. If you do end up expiring passwords, allow for the exact same password as before. And especially don’t store their last X passwords in order to determine if it matches one of the old.
Anyways, this post is becoming too long, I originally had planned to touch on how to make the perfect password scheme for end-users but I now will have to break them up into seperate posts.
See “Creating Secure Passwords That You’ll Remember” : http://www.brianhare.com/wordpress/2011/03/02/creating-secure-passwords-that-you%E2%80%99ll-remember/
No tags
