Passwords: does size matter, what characters?

[Jason Stephenson]

Ted Roche wrote:
> Designing a web site for a client, he asked what the general guidance  
> was for passwords. Users are going to be logging into the site (just  
> plain http initially, no banking info, SSNs or credit card numbers,  all 
> that comes after SSL and first round financing). Looking around,  web 
> sites I visit are all over the place and some are nonsensical (no  more 
> than 8 characters), others require a minimum of five, six, some  allow 
> alphanumeric but no punctuation. I usually throw in upper-,  lower-, 
> numeric and a punctuation symbol or two. Is there some reason  to shy 
> away from letting the user type whatever they want, assuming  you escape 
> it properly in HTML and the destination database? Not  allowing them to 
> use their login ID seems like a good minimal rule.
 >
 > Are there "commonly accepted guidelines?"
 >

Let them enter what they like. I usually add punctuation to my passwords 
and have a little C program that outputs passwords of various lengths 
(the length is specified as a command line parameter). These passwords 
resemble line noise: ~mgMs;T!--I get frustrated with sites that won't 
accept punctuation.

It's not difficult if you remeber to encode and decode the strings 
properly. The browser should encode it when sending it over, so decoding 
  it properly is your main concern.

I actually store my passwords for various web sites as plain text in a 
mysql database. I keep the passwords for my workstations and servers in 
a little notebook along with various notes about little admin tricks 
that I've picked up, etc. (Yes, I know, they aren't stored in the most 
secure manner, but I believe it is safe enough for my purposes.)

If you're storing these in a database for web site authentication 
purposes, then you'll probably want to store a hash of the password and 
not the actual password. This is "safer" in case your database/server 
gets hacked. To authenticate a user, you'd hash the password input and 
compare it to the hash in your database. MySQL has a password() function 
that can do the hashing, or you could use some SHA or MD5 algorithm.--I 
imagine PostgreSQL also has something like the password() function in 
MySQL, but I've never programmed with Postgres.

The other option is to use normal HTTP authentication and let htpasswd 
(if you're using Apache) manage the passwords for you.

Anyway, that's about all I can think of that you haven't mentioned. I 
wouldn't impose too many restrictions on their input, but I wouldn't 
allow Joes (the user name as the password), and would probably require a 
minimum of 6 characters. Other than that, I'd let them enter what they will.

Cheers,
Jason