Passwords: does size matter, what characters?

Bruce Dawson jbd at codemeta.com
Thu Mar 9 20:13:01 EST 2006


Ted Roche wrote:
> Designing a web site for a client, he asked what the general guidance 
> was for passwords. Users are going to be logging into the site (just 
> plain http initially, no banking info, SSNs or credit card numbers,  all
> that comes after SSL and first round financing). Looking around,  web
> sites I visit are all over the place and some are nonsensical (no  more
> than 8 characters), others require a minimum of five, six, some  allow
> alphanumeric but no punctuation. I usually throw in upper-,  lower-,
> numeric and a punctuation symbol or two. Is there some reason  to shy
> away from letting the user type whatever they want, assuming  you escape
> it properly in HTML and the destination database? Not  allowing them to
> use their login ID seems like a good minimal rule.

I forget who, but someone once said that using SSL on a web site is like
using an armored car to take a message from someone living on a park
bench to someone living on the street.

That said, passwords are used more for authentication on most web sites
than as an encryption key. So the password policy is whatever the site's
customers is comfortable with.

If there's a detection mechanism on the site that will spot attempts to
gain access to an account (repeated failures, ...), then most sites will
simply disable the account after X failed entry attempts, and spit out a
message for the customer to physically present his/her-self at a branch
office - or to call a 800 number and enter some personally identifying
information. A lot of places feel you don't need rigorous passwords if
they have an automatic disabling mechanism in place.

> Are there "commonly accepted guidelines?"

Yes. There are at least a dozen guidelines ranging from 4 digits (used
by most ATM systems) to cryptokey generators.

The critical point is not password length, but authentication mechanism.
 What happens if an unauthorized user gets hold of the password? How
does the system tell if person A or person B is the fake?

In the consumer space, passwords are used more for "casual" protection
and "key splitting" (2 or more physically separate items are required
for authentication) than anything else.

--Bruce



More information about the gnhlug-discuss mailing list