A plea to anyone setting up a website where you will have users log on.
Make your default password rule something simple, like any 4
charectors. A password complexity system should allow for multiple
tiers of rules with configurable default rule that is set, by default
:-), to something simple. Tune those tiers and defaults based on your
website need, not by blindly implementing the preachings of the high
priests of security.
This is not the security nightmare many so-called "experts" try to lead
you to believe. In fact, it is just the opposite. If you require
users to use long passwords with 'complexity' then it doesn't really
matter how you choose to encode and store those passwords, you might as
well be using cleartext storage. Most people will use the same password
on every website they sign up for when forced to make them complex - so
no matter how securely you hash that password, it's stored on dozens of
other websites as well - so the account on your website is only as
secure as the weakest security all those websites they have used it on
is using.
The problem is that since open source software tends to blindly follow
the "experts", they all default to either 'mixed case with numbers' or
'mixed case with numbers and symbols'.
A google account which is often used as a hub for other logons, access
to e-mail for password resets, etc should use a long, difficult to
remember, complex password.
But your NYPHP e-mail list password - which can only be used to change
your e-mail subscription options? You can't even post to the list with
it. No reason to insist on 'complex' passwords.
If you use password authentication for user accounts, then base your
rules on your needs. Site owner/Super Admin/Developer accounts should
require complex passwords and two factor authentication. Day to day
site manager accounts most likely only need complex passwords[based on
potential damage of a compromised account...if a site manager can give
out refunds and credits for an e-commerce site, obviously you want to
add extra security!]
User accounts which can access sensitive user data[credit cards, payment
methods, etc... though really you shouldn't allow read access to that
data!] need complexity. User accounts which can do things like make
payments using saved payment methods need complexity.
User accounts which can only add items to a wishlist or cart, post forum
messages, etc don't need complexity. YOU may not want someone to be
able to post to a forum with your account - but that doesn't mean you
have to force complexity on others - you can choose complexity
voluntarily and let the users decide how complex/safe they wish their
passwords to be.
Every time I browse around to some interesting looking website where I
have to "create an account" to access something I get increasingly upset
at those sites trying to force their idea of security on an account that
I don't care about. If I decide I want to actively use the site and am
giving it sensitive information, I will change that password to
something complex. If I never return to that site, then I don't care
about the account.
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
