[nycphp-talk] Relax your password rules
Gary Mort
garyamort at gmail.com
Tue Jun 10 14:51:28 EDT 2014
On 06/09/2014 10:44 AM, Jerry B. Altzman wrote:
> on 6/7/2014 10:38 AM Gary Mort said the following:
>> A plea to anyone setting up a website where you will have users log
>> on. Make your default password rule something simple, like any 4
>> charectors. A password complexity system should allow for multiple
>> tiers of rules with configurable default rule that is set, by default
>> :-), to something simple. Tune those tiers and defaults based on
>> your website need, not by blindly implementing the preachings of the
>> high priests of security.
> http://bit.ly/1xxLQXJ (Link is SFW.)
> Better yet: don't make users create accounts if they don't have to.
> Let them log in with FB, LinkedIn, Twitter, or Google accounts
> instead. The chances are the user already HAS one of those.
I definitely prefer using an external account.... going even a step
further you can instead use SSL certificates and the keygen tag.
While the ui is a little clunky on the browser side, on the server side
it works perfectly. Just add a keygen field on your signup or user
profile editor and when the user signs up/submits an edit the client
will automatically generate and send a public key with the form. Server
side you just need to format it into a certificate, sign it with your
ssl key, and send the signed certificate back to the client.
However, while I love all the alternates, the simple password logon
isn't going away - so avoiding hardcoded rules and treating it as a
binary string lets users choose what is convenient to them[I personally
like to add a symbol of some sort, such as the copyright symbol © - but
most password systems are stuck to a limited aschii range]
More information about the talk
mailing list