How do you enforce strong passwords?

Question

There are many techniques to enforce strong passwords on website:

• Requesting that passwords pass a regex of varying complexity
• Setting the password autono

Answer 1

Why enforce it?

I found that a "password strength meter" (a bar indicating password strength as you type) is usually a good non-intrusive measure. It makes those who care about security to have a guilty conscience about password weakness, yet does not frustrate those who do not care as much.

Also, there is an insightful essay on why periodic password change policy is a bad idea with today's threat model.

Answer 2

I don't think it's possible to enforce strong passwords, but there are lots of things you can do to encourage them as much as possible.

• Rate each password and give the user feedback in the form of a score or a graphical bar, etc.
• Set a minimum password score to weed out the awful ones
• Have a list of common words that are either banned, or tank the password score

One excellent trick I like to use is to have the password's expiry date tied to the password score. So stronger passwords don't need to be changed so often. This works particularly well if you can give users direct feedback about how long the password they've chosen will live for (and dynamically update it so they can see how adding characters affects the date).

Answer 3

It's been my experience that it depends really on the type of site, as you said.

If you are creating a bank or financial website then users typically understand if you have a more secure password, since their personal data may be at risk.

However for sites that typically don't contain a lot of personal information a simpler password will be fine. They may be less prone to hack attempts, and wouldn't get anything worthwhile anyway.

I've also found that most people also seem to have a couple passwords they use often. One being complex, and another being simple. So requesting they use a complex password usually won't keep people from registering.

I've never found expiring passwords to work successfully. As I said before, many people already have a set couple of passwords they use often, so asking them to go outside of this just for your site may make them not want to come back.

Answer 4

Don't enforce anything ... if you are not protecting financial information or something equally important, then don't make the user choose a strong password.

I have the same weak password on a whole load of sites that require registration for forums, etc. I don't really care if someone guesses it and can post messages as me (and don't think there is much motivation for someone to do so). What I can't do is remember different strong passwords for a dozen sites and don't really want to use another piece of software to manage them for me.

The best compromise would be to show some kind of feedback to the user on how strong the password is (based on whether it is a dictionary word, number of different character types, length, etc).

Answer 5

The best way really depends on your site and what you are using. But the ideal way is to do as much on the client side as you can before they submit it. Using RegEx is a good way. If you can make them not have to submit the form again, that is ideal.