Difference between revisions of "Password length & complexity"
|Line 1:||Line 1:|
Requires content, see
Requires content, see https://www.owasp.org/index.php?title=Talk:Password_length_%26_complexity&action=edit
== Introduction ==
== Introduction ==
Revision as of 11:07, 10 March 2008
Requires content, see the discussions page
A password is something that a user knows similar to a personal identification number (PIN) we use for our bank's ATM card. Coupled with user identification, it the most common form of identification and authorization mechanism implemented in web applications. Below are advantages and disadvantages on using a password as authentication mechanism.
- easy to implement
- inexpensive (doesn't require sophisticated hardware)
- easy to use (unless you forget it)
- easy to guess
- can be sniffed or brute forced
- users tend to forget their password or list them on sticky notes posted in their monitor or under the keyboard
With best practices and proper implementation guidelines, the use of password as an authentication mechanism can be a quick and easy solution.
Password length and complexity with proper password management makes the use of password as an authentication mechanism worthwhile to consider in your web application requirements. Below are best practices for password length and complexity.
Password length considers the minimum and maximum length of characters comprising the password of your users. For ease of changing this length, its implementation can be configurable possibly using a properties file or xml configuration file.
- Minimum length. Passwords should be at least eight (8) characters long. Combining this length with complexity makes a password difficult to guess and/or brute forced.
- Maximum length. Remember, people tend to forget their passwords easily. The longer the password, the more chances people will mistakenly use them in your system.
- Password characters should be a combination of alphanumeric characters. Alphanumeric characters consist of letters, numbers, punctuation mark, mathematical and other conventional symbols. See implementation below for the exact characters referred to.
- For change password functionality, if possible, keep a history of old passwords used for the past 2 months. In this way, the user cannot change password that was used a couple of months back.