Passwords: does size matter, what characters?
Ted Roche
tedroche at tedroche.com
Thu Mar 9 17:19:01 EST 2006
Designing a web site for a client, he asked what the general guidance
was for passwords. Users are going to be logging into the site (just
plain http initially, no banking info, SSNs or credit card numbers,
all that comes after SSL and first round financing). Looking around,
web sites I visit are all over the place and some are nonsensical (no
more than 8 characters), others require a minimum of five, six, some
allow alphanumeric but no punctuation. I usually throw in upper-,
lower-, numeric and a punctuation symbol or two. Is there some reason
to shy away from letting the user type whatever they want, assuming
you escape it properly in HTML and the destination database? Not
allowing them to use their login ID seems like a good minimal rule.
Are there "commonly accepted guidelines?"
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
More information about the gnhlug-discuss
mailing list