Password standard

[fvgb]

Is there a 'standard' for passwords for internet sites?

I'm building a website that will require user login and want to know what I should set for min and max limits for the number of characters and what characters that should be allowed.

The site I'm building contains no sensitive or valuable information, the password is only needed to allow personal accounts.

If for instance a-z, A-Z, 0-9 and a certain group of other characters should be allowed (I guess some people wants to use !, #,+ etc), is there some php function to verify that the password chosen by the user contains only these characters?

Many thanks!

[felgall]

There's no actual standard but most these days require a minimum length of at least 6 characters and require that at least one each of lowercase letter, uppercase letter and number be included.

The ones more interested in security require minimum length 8 and add at least one non-alphanumeric character to the above requirement.

[fvgb]

Thank you Stephen,

then I'll set the number of characters to min 6 max 20 as the only limitation and allow any characters to be used.

[logic_earth]

No, set no maximum limit! Set no limit to what characters can be used. If I want to enter an 120 char password word I should be allowed to. Understand if you properly handle passwords there should be no issue. By properly handling I mean using a one-way hashing function like sha256. Then it won't matter what a user enters it will always be the same length and same character set for the database.

PHP Code:

echo hash( 'sha256', '\\1rjLX4iHGT,=05`+@".):QI5ah?\'q`aCk1C>u0>T\'JM/_9WSN>C/EQe#3VZ:>U&&<HNpDM:^*`fM[&N\\@m!!Lp\'\'J8XG6C>I*ILf\'Rp)6t2f=b^' );
# 1c2ae694fd3dfe3d6acfb1e902993bcac45fe6e8c792f4fa28b3fedbabeb2100 


Do you see? My long complicated password is now hashed in a hexadecimal string of a fixed length. No need for escaping or filtering.

[dann12]

Generally most of the sites use the standard length of the password to be 6, you can make it 8 for more secure password and tell the user to include alphanumeric characters, and if possible symbols. You can check weather user entered only character or not in password through regular expression function in php.

[Czaries]

Thank you Stephen,

then I'll set the number of characters to min 6 max 20 as the only limitation and allow any characters to be used.

Please do NOT set a maximum length for passwords. I use 1Password, and my strongest passwords are 50 randomly generated characters or more. The only thing you should be doing is setting a minimum length. Remember, the goal is to make passwords more secure, without an upper limit on the level of security the users wants.

[Aleksejs]

In short words:
If you have to set maximum password length or characters that are allowed/forbidden in password - then most probably, you are doing it wrong.

You need to ensure that passwords are not too short/simple - that is the main validation objective for passwords.

[felgall]

Generally most of the sites use the standard length of the password to be 6, you can make it 8 for more secure password and tell the user to include alphanumeric characters, and if possible symbols. You can check weather user entered only character or not in password through regular expression function in php.

Those are minimums only. Since you should be passing passwords through a hashing algorithm and only storing the hash there is no reason whatever for setting a maximum since the hash will be the same length whether the password is one character or a trillion characters long.

[fvgb]

Thank you for this. No maximum limit and all characters allowed it is.

Regarding the hashing function; I changed it from sha1 to sha256. Since the site is not up yet this is not a problem. But what happens the day sha256 needs to be replaced by something newer? Is there some easy way to change hashing function when you have active hashed passwords in the database?

[Aleksejs]

No, there is not an easy way. Hashing algorithms do not change that often (bear in mind though, that NIST competition for SHA-3 is ending soon).

One strategy would be to store both hashes for the time most of your users login at least once. And when logging in, you check their password against old hash and if it matches then additionally set new hash field. After transition period change authentication routine to use new hash fields only and destroy old hash fields.