xyph Posted July 2, 2012 Share Posted July 2, 2012 I'd suggest using Openwall's passwdqc, if possible. http://www.openwall.com/passwdqc/ Info on implementing it with PHP once installed: http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy It's far more complex, but it's worth it if it's actually valuable to enforce password policy. With 99% of the sites I build, I never feel a need to enforce anything more than a length of 8 characters or more. Beyond that, if a user wants to use 'password', they're more than welcome to. Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 3, 2012 Share Posted July 3, 2012 My point was, you can make very complex passwords without following a scheme some developer decided was best for it. Many banks, Facebook, Blizzard, etc don't even bother with case-sensitive passwords any more. The caps-lock key was too much support time to deal with, and the added entropy of 26 additional choices per character doesn't mean much on a 10-character password for implementation's sake I think we are getting to the same conclusion, but have different reasons for getting there. If the user wants a password called "password" or wants to enter the star spangled banner in 1337 code that's up to them. With a few exceptions (financial/medical information), an application should not be the arbiter of what is an acceptable password. And, the only reason I think financial/medical type sites should require "complex" passwords is not because they "should" but because they have to in order to prevent lawsuits from users that use simple passwords. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.