Size of Hash?

[xyph]

I'd suggest using Openwall's passwdqc, if possible.

 

http://www.openwall.com/passwdqc/

 

Info on implementing it with PHP once installed:

http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy

 

It's far more complex, but it's worth it if it's actually valuable to enforce password policy. With 99% of the sites I build, I never feel a need to enforce anything more than a length of 8 characters or more. Beyond that, if a user wants to use 'password', they're more than welcome to.

 

 

[Psycho]

My point was, you can make very complex passwords without following a scheme some developer decided was best for it. Many banks, Facebook, Blizzard, etc don't even bother with case-sensitive passwords any more. The caps-lock key was too much support time to deal with, and the added entropy of 26 additional choices per character doesn't mean much on a 10-character password for implementation's sake

 

I think we are getting to the same conclusion, but have different reasons for getting there. If the user wants a password called "password" or wants to enter the star spangled banner in 1337 code that's up to them. With a few exceptions (financial/medical information), an application should not be the arbiter of what is an acceptable password. And, the only reason I think financial/medical type sites should require "complex" passwords is not because they "should" but because they have to in order to prevent lawsuits from users that use simple passwords.