Few thoughts on how to enforce strong userids and passwords.
UserIDs can be email address. (An email can be sent to the ID with a link to make sure email id is valid)
- Password must be between 8 and 14 characters.
- Password must contain at least one number, at least one English uppercase character, and at least one English lowercase character.
- Password must contain one special character like #,*,&
- Password may not have more than two consecutive identical characters.
Ex : This is valid : grEen12# but grEEEn12# is not valid
- Password cannot be the same as your previous three passwords.
- Password cannot be similar as your previous three passwords.
Ex : If this is your old password grEen12#, new Password cannot be grEen13#
- Password cannot be the same as or contain your User ID or contain the word “password” or contain your site / company name.
Ex : If your site is abcjewellers then password cannot be aBcJewellers#1 or paSSword$1
- Password should expire every 60 days.
Bit late, but a few points I don’t agree with:
“Password must be between 8 and 14 characters.”
Why 14? If you’re willing to let them type in longer password (most probably a pass phrase), then this may be restrictive.
“Password may not have more than two consecutive identical characters.”
Again, why should this matter? I think your actually encouraging someone to enter a weaker password in some cases, by attaching this sort of rule. I would have thought a Brute Force attack would have the same amount of issues with finding the password !00d34lxxx@ as !00d34lxyz@
“Password should expire every 60 days.” (and the earlier points on passwords not being the same or similar as past attempts)
Nonsense. I know in the past when I’ve had 30 or 60 day restrictions on password age, I’ll just append an iterated number to the end of my password. Forcing me to do otherwise is not only annoying, but I’m more likely to forget my password, or write it down.
IT’S GOOD