|
|
|
|
|
|
by qjz
5369 days ago
|
|
|
All good points, but allowing 8 characters still allows '12345678' and 'password', two of the most egregious examples of weak passwords. Granted, weak passwords will always scale to the next minimum ('123456789' or 'passwords' for 9 characters), but 8 character passwords are already among the lowest hanging fruit, so including them in the minimum is misguided. |
|
|
And the guidelines specifically say "Blacklisted passwords should be implemented (contact infrasec for the list)" which indicates to me that known common passwords like '12345678' and 'password' will be disallowed (although we don't have access to the list).
My opinion (and we may have to agree to disagree on this point) is that adding one character to the minimum is not going to make a significant difference in application security. I don't believe it mitigates the danger of a leak of DES-encrypted passwords. If you're concerned about a scenario where a user's shared password on another site is compromised, your application can use two-factor authentication or mandate the use of strong pass-phrases instead of traditional passwords.