What "approach gives you the MOST SECURE PASSWORDS that are also high on the USER-FRIENDLY scale??
I am building a new site, and decided to use the following Password Requirements...
At least 1 Upper-Case Letter
At least 1 Lower-Case Letter
At least 1 Number
At least 1 Special Character
Between 8-15 Characters
To my dismay, I got slammed in this SitePoint reply
DeathShadow then added on to this...
I'm with the folks saying 'bad' on the requirements -- in fact one of your requirements makes it EASIER to crack, the short length... see the xkcd comic on the subject.. Passwords like that are a social engineering disaster as users will end up writing it down on a sticky pad on the monitor or under the keyboard because they can't remember it. (or worse shove it into a password 'manager' tool)
But I'm the nut who allows 127 character passwords if the user wants to have it. Security is still PEBKAC, but for the people who aren't a problem, give them the tools to not be a problem... forcing case sensitive nonsense, numbers, special characters and then putting a absurdly short length on it? Doesn't actually make it more secure.
Besides, 15 characters annoys me since my standard passwords are 18 to 32 characters in length.
Was it really such a "Mortal Sin" for me to require Upper-Case, Lower-Case, Numbers, and Special Characters in my Passwords?? :-/
Would requiring a Pass-Phrase be better??
Should I give people the choice??
[b]So what do you think?
What makes equation for the MOST SECURE PASSWORDS that are ALSO USER-FRIENDLY??[/b]
I know this is a highly contested topic, but like most things, I am sure there is an answer that best addresses the problem at hand!
Okay, let the cage match begin...