SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Member
    Join Date
    Jul 2011
    Posts
    23
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password standard

    Is there a 'standard' for passwords for internet sites?

    I'm building a website that will require user login and want to know what I should set for min and max limits for the number of characters and what characters that should be allowed.

    The site I'm building contains no sensitive or valuable information, the password is only needed to allow personal accounts.

    If for instance a-z, A-Z, 0-9 and a certain group of other characters should be allowed (I guess some people wants to use !, #,+ etc), is there some php function to verify that the password chosen by the user contains only these characters?

    Many thanks!

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,836
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    There's no actual standard but most these days require a minimum length of at least 6 characters and require that at least one each of lowercase letter, uppercase letter and number be included.

    The ones more interested in security require minimum length 8 and add at least one non-alphanumeric character to the above requirement.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Member
    Join Date
    Jul 2011
    Posts
    23
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you Stephen,

    then I'll set the number of characters to min 6 max 20 as the only limitation and allow any characters to be used.

  4. #4
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    No, set no maximum limit! Set no limit to what characters can be used. If I want to enter an 120 char password word I should be allowed to. Understand if you properly handle passwords there should be no issue. By properly handling I mean using a one-way hashing function like sha256. Then it won't matter what a user enters it will always be the same length and same character set for the database.

    PHP Code:
    echo hash'sha256''\\1rjLX4iHGT,=05`+@".):QI5ah?\'q`aCk1C>u0>T\'JM/_9WSN>C/EQe#3VZ:>U&&<HNpDM:^*`fM[&N\\@m!!Lp\'\'J8XG6C>I*ILf\'Rp)6t2f=b^' );
    # 1c2ae694fd3dfe3d6acfb1e902993bcac45fe6e8c792f4fa28b3fedbabeb2100 
    Do you see? My long complicated password is now hashed in a hexadecimal string of a fixed length. No need for escaping or filtering.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  5. #5
    SitePoint Enthusiast
    Join Date
    Jun 2011
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Generally most of the sites use the standard length of the password to be 6, you can make it 8 for more secure password and tell the user to include alphanumeric characters, and if possible symbols. You can check weather user entered only character or not in password through regular expression function in php.

  6. #6
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by fvgb View Post
    Thank you Stephen,

    then I'll set the number of characters to min 6 max 20 as the only limitation and allow any characters to be used.
    Please do NOT set a maximum length for passwords. I use 1Password, and my strongest passwords are 50 randomly generated characters or more. The only thing you should be doing is setting a minimum length. Remember, the goal is to make passwords more secure, without an upper limit on the level of security the users wants.

  7. #7
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In short words:
    If you have to set maximum password length or characters that are allowed/forbidden in password - then most probably, you are doing it wrong.

    You need to ensure that passwords are not too short/simple - that is the main validation objective for passwords.

  8. #8
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,836
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by dann12 View Post
    Generally most of the sites use the standard length of the password to be 6, you can make it 8 for more secure password and tell the user to include alphanumeric characters, and if possible symbols. You can check weather user entered only character or not in password through regular expression function in php.
    Those are minimums only. Since you should be passing passwords through a hashing algorithm and only storing the hash there is no reason whatever for setting a maximum since the hash will be the same length whether the password is one character or a trillion characters long.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  9. #9
    SitePoint Member
    Join Date
    Jul 2011
    Posts
    23
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for this. No maximum limit and all characters allowed it is.

    Regarding the hashing function; I changed it from sha1 to sha256. Since the site is not up yet this is not a problem. But what happens the day sha256 needs to be replaced by something newer? Is there some easy way to change hashing function when you have active hashed passwords in the database?

  10. #10
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, there is not an easy way. Hashing algorithms do not change that often (bear in mind though, that NIST competition for SHA-3 is ending soon).

    One strategy would be to store both hashes for the time most of your users login at least once. And when logging in, you check their password against old hash and if it matches then additionally set new hash field. After transition period change authentication routine to use new hash fields only and destroy old hash fields.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •