[qjz]

Passwords must be 8 characters or greater

Half of the top 50 cracked Gawker passwords were 8 characters (and longer passwords were not exposed, due to the nature of the vulnerability). Since 8 character passwords are vulnerable to a known common weakness (in DES), this should be revised to:

Passwords must be 9 characters or greater

This will prevent your users from using passwords that are vulnerable to the DES attack if they reuse them on other sites.

[nbpoole]

Lets think about that for a minute. DES truncates at 8 characters, so you're right that if a database with DES-encrypted passwords leaks and is brute forced an attacker will only get the first 8 characters of a password.

But what if my password is the word "biological"? By knowing the first 8 characters, the attacker has drastically reduced the number of guesses that need to be made (assuming a priori knowledge that the password is shared between sites).

Also consider MD5(PASSWORD) and SHA1(PASSWORD). Those are both fairly common constructions for "secure password hashing" [note: they're not really secure] in web applications and both of those would yield up the entire plaintext password if an attacker used a brute-force or rainbow table attack.

If you're designing a secure web application, you can't make your goal to secure all the other websites on the Internet. Bumping the minimum number of characters to 9 wouldn't significantly impact the security of your users. If you're really worried about a situation where a user's password is disclosed, you should consider offering two-factor authentication options for your users.

[qjz]

All good points, but allowing 8 characters still allows '12345678' and 'password', two of the most egregious examples of weak passwords. Granted, weak passwords will always scale to the next minimum ('123456789' or 'passwords' for 9 characters), but 8 character passwords are already among the lowest hanging fruit, so including them in the minimum is misguided.

[nbpoole]

Don't forgot 'password1' ;-)

And the guidelines specifically say "Blacklisted passwords should be implemented (contact infrasec for the list)" which indicates to me that known common passwords like '12345678' and 'password' will be disallowed (although we don't have access to the list).

My opinion (and we may have to agree to disagree on this point) is that adding one character to the minimum is not going to make a significant difference in application security. I don't believe it mitigates the danger of a leak of DES-encrypted passwords. If you're concerned about a scenario where a user's shared password on another site is compromised, your application can use two-factor authentication or mandate the use of strong pass-phrases instead of traditional passwords.