Website Password Requirements
Sometimes you read someone else's blog post and think "I wish I had written that".
Well, Jeremiah Grossman has blogged All about Website Password Policies which neatly sums up password policies for typical web sites and web applications.
While the process seems straightforward, organization should never take choosing passwords lightly as it will significantly affect the user experience, customer support volume, and the level of security/fraud.
The suggested policy is not for your online bank, but the sort of web sites most developers have to work on day-to-day. He also has a good brief explanation of how to store passwords in a hash digest form (but also read the associated comments).
I do think, however, that there is never a reason to have passwords stored in plain text—password recovery mechanisms can be built that do not need to send the actual password. But also, I agree with the comment that passwords truncation should be done with care and that allowing users to have longer pass phrases (containing space characters) can be beneficial. Let the user decide on what they are happy with, above the minimum standards.
My own password related posts are Is Password Complexity Too Complex to Implement? and Guessable Usernames and Passwords.
Posted on: 09 October 2009 at 10:15 hrs
Comments are filtered automatically and should appear shortly after they been checked.