In a world where the biggest security risk exists between the chair and the keyboard, weak passwords are the quickest way of allowing yourself to be hacked. A brute force attack for a 8 character lowercase password can be done in (micro)seconds. And although you should always protect your application against these attacks ( e.g. allowing three wrong password entries before suspending the account ) I’ve always felt you should be “training” your end-users. Help them create strong passwords so that this specific part of security is the least of your worries when developing a web application.
I’ve been using the the following regular expression for my passwords for some time now.
This regular expression doesn’t set a maximum number of allowed characters but it will check if the password:
- contains at least 1 uppercase letter
- contains at least 1 lowercase letter
- contains at least 1 number or special character
- is at least 8 characters in length
Now if we’d only were able to prevent people from writing down their passwords the world would be a better place for a webdeveloper.