Password Policies
Poor, or non existent, password policies are leaving too many people open to attack. In fact, there are many companies and websites who continue to require weak and insecure passwords. Yes, they require them.
I know that my bank does this. So does American Express and ING Direct. Try to enter a password with special 
characters. They wont let you. Try to enter a password more than 8 characters. They don’t allow it. It is frightening, to say the least. My financial data – my money – is only secured by a combination of letters and numbers up to 8 characters long.
My typical password is at least 10 characters long and is always a combination of lower case, upper case, numbers, and at least 2 special characters. I have been forced in many cases to use a much simpler password.
Combine that with the fact that most people use easily guessable passwords, such as their birthday, family members’ names, pet name, etc. and you can imagine how easily crackable these accounts are. When the end user cannot be relied upon to provide secure passwords, the company providing the service should take that responsibility by instituting a strong password policy.
What can you do?
Just a few ideas how you can enhance password security on your website:
- Store only SHA-1 hashed passwords that have been salted
- Do not specify a maximum length (this doesn’t hurt your database since you are storing the hash, which has a constant size)
- Do specify a minimum length (mine is usually 6)
- Do require a minimum complexity (at least one uppercase, one lowercase, one number and one special character)
- Do not send passwords in plain text over email (such as after a user registers for your service)
- Prevent bruteforce attacks by using a lockout policy
- Use secure HTTP connections for the login process
While this is not the password policy bible, following the simple rules above can significantly increase the effectiveness of passwords on your system.
Do you know of another site that has a weak security policy? Tell us in the comments.