NYCPHP Meetup

NYPHP.org

[nycphp-talk] Relax your password rules

Jerry B. Altzman jbaltz at altzman.com
Mon Jun 9 10:44:06 EDT 2014 

on 6/7/2014 10:38 AM Gary Mort said the following:
> A plea to anyone setting up a website where you will have users log 
> on. Make your default password rule something simple, like any 4 
> charectors.  A password complexity system should allow for multiple 
> tiers of rules with configurable default rule that is set, by default 
> :-), to something simple.  Tune those tiers and defaults based on your 
> website need, not by blindly implementing the preachings of the high 
> priests of security.
http://bit.ly/1xxLQXJ (Link is SFW.)
Better yet: don't make users create accounts if they don't have to. Let 
them log in with FB, LinkedIn, Twitter, or Google accounts instead. The 
chances are the user already HAS one of those.

> If you use password authentication for user accounts, then base your 
> rules on your needs.  Site owner/Super Admin/Developer accounts should 
> require complex passwords and two factor authentication.  Day to day 
> site manager accounts most likely only need complex passwords[based on 
> potential damage of a compromised account...if a site manager can give 
> out refunds and credits for an e-commerce site, obviously you want to 
> add extra security!]
Yes, for these things, you almost certainly want a second layer of 
authentication atop the ones above. For these, little crypto keyfobs are 
great. If the potential financial loss is large, the client should not 
balk at the relatively small cost.

> Every time I browse around to some interesting looking website where I 
> have to "create an account" to access something I get increasingly 
> upset at those sites trying to force their idea of security on an 
> account that I don't care about.  If I decide I want to actively use 
> the site and am giving it sensitive information, I will change that 
> password to something complex.  If I never return to that site, then I 
> don't care about the account.

More and more people just use "I forgot my password", and deal with it 
that way. Either you've exchanged the password for a security question, 
or just access to a user's email.

//jbaltz

-- 
jerry b. altzman | jbaltz at altzman.com | www.jbaltz.com | twitter:@lorvax
thank you for contributing to the heat death of the universe.

More information about the talk mailing list