Rules for website passwords vex me greatly. It’s one reason that I actually like OpenId despite all its potential problems. My problems all revolve around what are considered “safe” passwords.
Ever since I encountered the freedom of SSH passwords with their ability to use phrases and sentences as passwords I have been much more acutely aware of the failings of other password schemes. For example I get frustrated when I have to include a number and special character in my password but it cannot be longer than 10 characters. Surely having an 80 character password that I can remember because it has personal resonance is better than a single dictionary word written in l33t.
So I want to propose some rules for passwords that won’t be annoying.
- Allow passwords of near arbitrary length, they are strings after all
- Use complexity checks rather than arbitrary rules; for example many sites insist on a number in a password but accept a string containing only numbers which is less secure than a long string of only characters
- Don’t exclude spaces, punctuation, etc. Sure you may want to exclude newline, tabs and Bell but try to include the widest range of characters possible. Every excluded character should have a good reason for being excluded.
- I think its okay to check passwords against dictionaries and common formats like dates.
- Always explain to the user clearly what was wrong with an invalid password and give them the chance to retry. Don’t use error messages (you know, the ones in red and bold) for this but instead use normal text that explains clearly the requirements of the password and the reason why the password failed. Include examples of valid passwords (which of course can be part of the dictionary check)
- Encourage people to use at multiple words in their passwords. A lot of sites seem to want to push users towards having single words or multiple words mashed together which make it easier for a brute force dictionary attack