What is a set of sensible requirements on passwords?

Question

What is a set of sensible requirements on passwords?

For example, Chase.com requires

• Must contain 7-32 characters
• Must include at least one number and one letter
• Cannot include special characters (&, %, *, etc.)

I am not sure if the length and the exclusion of "special characters" are common practice. For example, I remember seeing the length is required to be 8 or less, and no restriction of punctuations on other sites.

What is a generally common set of requirements on passwords? One of the purposes is to automatically generate passwords that's compatible with large number of web sites.

Answer 1

What is a generally common set of requirements on passwords?

The requirements on passwords tries to ensure that it cannot be guessed.

According to: http://technet.microsoft.com/en-us/library/cc756109(WS.10).aspx

A weak password:

Is no password at all.

Contains your user name, real name, or company name.

Contains a complete dictionary word. For example, Password is a weak password.

A strong password:

Is at least seven characters long.

Does not contain your user name, real name, or company name.

Does not contain a complete dictionary word.

Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 ...) are not strong.

Contains characters from each of the following four groups: Uppercase letters, Lowercase letters, Numerals, Other symbols

Some websites donot require special characters while most of them require at least 8 characters in a password. Since most people have too many user accounts which makes it difficult to have a lot of good strong passwords.

In general i keep the first 8 characters of my password as letters+numerals, and special characters at the end. so that when i make a new account on a website that does not require special characters, i simply have to type the first 8 characters of my password. This saves me from guessing/generating strong passwords every now and then.

Answer 2

A truly reasonable requirement would be "anything generated by Diceware". Multiple words, no requirement of special characters.

Xkcd explains why:

Answer 3

One thing that I've found personally annoying is sites that require, for example, at least one punctuation character, or a mix of upper and lower case letters, and so forth. Apparently abcd!3FG is a good password, but dcipdzvqxzcdhrti (16 random lower case letters, 75+ bits) is a bad one.

I tend to use long random sequences of lower case letters, partly because they're much easier to type on small mobile devices; a letter might be 1 keystroke, whereas '>' might be 4, with the entry method varying from one device to another.

On the other hand, detecting whether a given password is strong or weak is a really hard problem. The only real way to do it would be to reproduce the techniques used by the bad guys trying to guess your password, which is an impossible problem in general. For most users (the ones who don't know that dcipdzvqxzcdhrti has 75+ bits of entropy, and probably wouldn't understand it if you told them), requiring funny characters is probably a decent heuristic.

Relevant.

Answer 4

I would say password length should be a minimum of 8 characters, obviously the longer the better. Special characters and numbers are not mandetory but they do add to the complexity of the password greatly. I have many online accounts, ranging from personal to business and they all support upto 32 characters with a min of 8, are case sensitive, support special characters.

Also, I highly recommend special characters, because they quite often reduce the password's referrence to a dictionary word.

Its not much, I hope at the very least, it points you in the right direction.

Sam