Strong Passwords: Education not enforcement

A website I'm working on allows the user to choose passwords, and also can suggest passwords for the user. I'm fully in control of this program and its password generation and checking strategies, I started to think about what would make the best strategies.

Here are some constraints which I've seen on various systems:

But here are some observations:

So here are my recommendations:

I'm not sure about minimum length. I mean if there are no rules about mandatory characters, and if the system is case insensitive, then without a minimum length users could simply type in "a"? But minimum length might prevent a user from using a password they already know. And given users won't accept rules, if one enforces a minimum length then users will just use 10x "a" or "12341234....". I think, again, education is the key here.

This is quite different to how most websites and most of our industry works. What do you think? Are there resources on this topic I've missed?

Clearly another option is not to maintain passwords at all but e.g. use a SSO system like oauth with a provider who does maintain passwords e.g. Facebook. But then one is giving a certain amount of power to those providers, and perhaps one doesn't want to do that.

Yet another alternative, given there'll be some "reset password via email" link, is just to say, ownership of the email address is sufficient to indicate authorization. I mean that certainly is the case if you provide such a link; so why not only provide such a link? Every time the user logs on, allow them to type in their email address and click a button, a one-time link gets delivered to their inbox.

Off-topic: For password hashing, use bcrypt, which can be made to deliberately take a long time, to thwart brute-force attacks against your hashed passwords in case of a database leak.

This article is © Adrian Smith.
It was originally published on 16 Dec 2012
More on: Requirements & UX | Web | Security | Things I've Released