Difference between revisions of "Password length & complexity"

From OWASP
Jump to: navigation, search
(Introduction)
(Introduction)
Line 3: Line 3:
  
 
Pros
 
Pros
- easy to implement
+
* easy to implement
- inexpensive (doesn't require sophisticated hardware
+
* inexpensive (doesn't require sophisticated hardware
- easy to use (unless you forget it)
+
* easy to use (unless you forget it)
  
 
Cons
 
Cons
- easy to guess
+
* easy to guess
- can be sniffed or brute forced
+
* can be sniffed or brute forced
- users tend to forget their password or list them on sticky notes posted in their monitor or under the keyboard
+
* users tend to forget their password or list them on sticky notes posted in their monitor or under the keyboard
  
 
== Best practices ==
 
== Best practices ==

Revision as of 09:40, 12 February 2007

Introduction

A password is something that a user knows similar to a personal identification number (PIN) we use for our bank's ATM card. Coupled with user identification, it the most common form of identification and authorization mechanism implemented in web applications. Below are advantages and disadvantages on using a password as authentication mechanism.

Pros

  • easy to implement
  • inexpensive (doesn't require sophisticated hardware
  • easy to use (unless you forget it)

Cons

  • easy to guess
  • can be sniffed or brute forced
  • users tend to forget their password or list them on sticky notes posted in their monitor or under the keyboard

Best practices

Implementing Password Length & Complexity