The below comes from an Australian government site (formatting is mine, for readability):
“Your password must be a minimum length of nine characters, consisting of three of the following – lowercase (a-z) and uppercase (A-Z) alphabetic characters,
numeric characters (0-9) or
special characters (! $ # %).
It cannot contain any 2 consecutive characters that appear in your user ID, first name or last name.
It must not be one of your 8 previous passwords.”
That’s a serious looking ruleset. But does it actually make things safer?
I doubt it. What do you think?
I doubt it too.
my quick thoughts:
Outsource the auth – openid, google, facebook for use ease, They’ve already given away their personal information there anyway.
if passwords really needed:
* Blacklist the 25+ most common passwords and user id/names
* set a low minimum length (5/6) characters with no complexity requirements
* lock the account with out of band notice of a link to unlock if the account gets failed brute force attempts made on it