Mantra of the day: Imposing arbitrary complexity rules on passwords is very user hostile and does not improve security substantially. Dont do it. Heres why I think the above statement is true: If I want to use your website with 123456 as my password, its my problem. Let me roll with it. You may impose a minimum length (e.g. 6 characters), but not a maximum. If I want to cite the entire John Maynard as my password, let me roll with it. Your idea of a secure password might not be everybody elses idea. People might use password generators that do not automatically comply with your rule set. Dont annoy them by not accepting their password for no other reason than not containing enough/or too many special characters. You must hash your customers passwords with a decent hashing algorithm plus a random hash salt, different for every user. Only store hash salts and hashes in the database, never store clear text passwords. Once hashed, even a lame password is reasonably secure against theft/cracking. Implement security against brute-force attacks (time-based lock-outs, IP-based lock-outs, password locking with e-mail handshake to retrieve a locked account). So your password validation process goes like this: New user? Create user record with username and random salt (never change the salt value for that user) Returning user? Fetch salt from DB, re-hash his password, compare result to hash in DB. Never store the users password anywhere physically and use HTTPS to transmit it. If you do not want to do something like the above, think about using OAuth with your site. May not be easy either, but you do not have to worry about password security anymore and your users have one less password to remember.
Posted on: Tue, 03 Dec 2013 09:40:37 +0000
Trending Topics
Recently Viewed Topics
© 2015