Difference between revisions of "Password length & complexity"

From OWASP
Jump to: navigation, search
(Best practices)
(Best practices)
Line 18: Line 18:
 
Password length and complexity with proper password management makes the use of password as an authentication mechanism worthwhile to consider in your web application requirements.  Below are best practices for password length and complexity.
 
Password length and complexity with proper password management makes the use of password as an authentication mechanism worthwhile to consider in your web application requirements.  Below are best practices for password length and complexity.
  
'''Password length'''
+
 
* Minimum length of password should be eight (8) characters long.
+
== Password length ==
 +
 
 +
* Minimum length.  Passwords should be at least eight (8) characters long.
 +
* Maximum length.  Twenty (20) characters may already be long for some people.  Remember, people tend to forget their passwords easily.
 +
 
 +
Note:  The minimum and maximum length of password in your system can be implemented in a configurable manner.  Possibly using a properties file or xml configuration file.  This way, you can easily change your systems password length implementation.
  
 
'''Password Complexity'''
 
'''Password Complexity'''
 
* Password characters should be a combination of alphanumeric characters.
 
* Password characters should be a combination of alphanumeric characters.
 +
* For change password functionality, if possible, keep a history of old passwords used for the past 2 months.  In this way, the user cannot change password that was used a couple of months back.
  
 
== Implementing Password Length & Complexity ==
 
== Implementing Password Length & Complexity ==
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]

Revision as of 09:05, 12 February 2007

Introduction

A password is something that a user knows similar to a personal identification number (PIN) we use for our bank's ATM card. Coupled with user identification, it the most common form of identification and authorization mechanism implemented in web applications. Below are advantages and disadvantages on using a password as authentication mechanism.

Pros

  • easy to implement
  • inexpensive (doesn't require sophisticated hardware
  • easy to use (unless you forget it)

Cons

  • easy to guess
  • can be sniffed or brute forced
  • users tend to forget their password or list them on sticky notes posted in their monitor or under the keyboard

With best practices and proper implementation guidelines, the use of password as an authentication mechanism can be a quick and easy solution.

Best practices

Password length and complexity with proper password management makes the use of password as an authentication mechanism worthwhile to consider in your web application requirements. Below are best practices for password length and complexity.


Password length

  • Minimum length. Passwords should be at least eight (8) characters long.
  • Maximum length. Twenty (20) characters may already be long for some people. Remember, people tend to forget their passwords easily.

Note: The minimum and maximum length of password in your system can be implemented in a configurable manner. Possibly using a properties file or xml configuration file. This way, you can easily change your systems password length implementation.

Password Complexity

  • Password characters should be a combination of alphanumeric characters.
  • For change password functionality, if possible, keep a history of old passwords used for the past 2 months. In this way, the user cannot change password that was used a couple of months back.

Implementing Password Length & Complexity