| 2009-10-29 15:51:38 |
Adam P |
description |
* Current requirement is at least 2 characters. This falls pretty short of standard practices and almost guarantees an easy brute force attack against users choosing the minimum length.
* Recommend at least 6 characters, plus mix of classes.
* Could have stronger requirements for more privileged users (Admin, etc.) -- would need some tricky logic in case where user role changes.
* Other common practices:
* User name not a substring
* Dictionary checks (excepting passphrases)
* Expiry & history?
* There's a lot of good info here: http://en.wikipedia.org/wiki/Password_strength. Studies indicate that user's password strength depends on the instructions they are given. Again, this is especially important for higher privileged users. |
* Recommend at least 6 characters, plus mix of classes.
* Could have stronger requirements for more privileged users (Admin, etc.) -- would need some tricky logic in case where user role changes.
* Other common practices:
* User name not a substring
* Dictionary checks (excepting passphrases)
* Expiry & history?
* There's a lot of good info here: http://en.wikipedia.org/wiki/Password_strength. Studies indicate that user's password strength depends on the instructions they are given. Again, this is especially important for higher privileged users.
|
|
