What "approach gives you the MOST SECURE PASSWORDS that are also high on the USER-FRIENDLY scale??
I am building a new site, and decided to use the following Password Requirements...
At least 1 Upper-Case Letter
At least 1 Lower-Case Letter
At least 1 Number
At least 1 Special Character
Between 8-15 Characters
To my dismay, I got slammed in this SitePoint reply
DeathShadow then added on to this...
Was it really such a "Mortal Sin" for me to require Upper-Case, Lower-Case, Numbers, and Special Characters in my Passwords??
I'm with the folks saying 'bad' on the requirements -- in fact one of your requirements makes it EASIER to crack, the short length... see the xkcd comic on the subject.. Passwords like that are a social engineering disaster as users will end up writing it down on a sticky pad on the monitor or under the keyboard because they can't remember it. (or worse shove it into a password 'manager' tool)
But I'm the nut who allows 127 character passwords if the user wants to have it. Security is still PEBKAC, but for the people who aren't a problem, give them the tools to not be a problem... forcing case sensitive nonsense, numbers, special characters and then putting a absurdly short length on it? Doesn't actually make it more secure.
Besides, 15 characters annoys me since my standard passwords are 18 to 32 characters in length.
Would requiring a Pass-Phrase be better??
Should I give people the choice??
So what do you think?
What makes equation for the MOST SECURE PASSWORDS that are ALSO USER-FRIENDLY??
I know this is a highly contested topic, but like most things, I am sure there is an answer that best addresses the problem at hand!
Okay, let the cage match begin...