clinei
commented
8 years ago Please no. https://imgs.xkcd.com/comics/password_strength.png Just require a long enough password.
Closed FroggMaster closed 7 years ago
clinei
commented
8 years ago Please no. https://imgs.xkcd.com/comics/password_strength.png Just require a long enough password.
LandonPowell
commented
8 years ago Clinei, that "correct horse battery staple" password is insanely vulnerable to dictionary attack. XKCD is comedy, not compsec. Frogger, passwords are normally 8 characters for users. People are just going to capitalize the first letter. "Password". Your other requirement allows passwords like Aa1, which are just as insecure as any other password when it comes to brute force.
If you're going to implement a password standard, which removes a decent amount of entropy, you should mandate every password be at least 8 characters, and all passwords should require at least one non-alphanumeric character.
Simply giving your users a link to a simple infograph on password security would help you a lot more than trying to prevent against an attack that nobody uses anymore though.
PS: SeaFour is going to roll out a system with pbkdf2 sometime this month which you might want to check out when I commit it to github.
clinei
commented
8 years ago The best solution is to combine the long passwords with symbols in unexpected places, like the middle of a word.
Goal: Force strong passwords by default.
Reason: This should combat brute forcing and make it far more difficult to steal a users account.
Suggestion: User's should be required to create a password with 1 Capital Letter, 1 Lowercase Letter, 1 Number Password must be at least 8 Characters long