Comments on: Web Developers: Don’t Be Password Idiots

By: Mohan Arun L.

Mohan Arun L. — Mon, 18 Oct 2010 17:00:51 +0000

Nice point out! Too often, web services or web apps that do not really need much security from my personal standpoint try to enforce rules like: must contain one alphabet, one number, and one special character and should be longer than 6 characters. I just tend to use a standard password of 123456 for many web apps i sign up for. It annoys me when these sites think they are supposed to be so secure when it is nothing but an online rss reader application. So whats the worst an imposter can do with my rss feeds list? delete feeds? so what? It isnt a matter of life or death. Development People need to remember to use password enforcement policies wisely – it makes sense if it is an online banking app or an web mail app, but for silly online services?

By: Harsha M V

Harsha M V — Thu, 03 Jun 2010 17:43:59 +0000

nice article.. i agree we need to add salt to the hashes

By: Krumpet

Krumpet — Fri, 08 Jan 2010 19:50:22 +0000

Agreed. I use some sites that have the most ridiculous password rules (Merrill Lynch, Smith Barney, I’m looking at BOTH of you). It’s like their devs never bothered to think at all. Frustrating.

By: kevin

kevin — Thu, 25 Jun 2009 17:03:18 +0000

Also, OpenID is the solution to this stuff. We all should be using it.

By: kevin

kevin — Thu, 25 Jun 2009 17:01:26 +0000

Key thing about the type of characters input into a form is for server protection. Sure, you might be storing it as a hash or something, but I think the aim is to avoid people inputing binary/shell active code into a form.

By: BlueBoden

BlueBoden — Thu, 25 Jun 2009 16:50:19 +0000

I just had to deal with the same idiocy on paypals development site. They forced me to use at lease one upper letter character in my password, even though i had underscores included.

That was where it hit me, that I’d much rather have them generate my password as a user, then spend time making a new one for their site alone, not to mention writing it down afterwards.

It would be cool as a second option, if you must have these ridiculous “security” features.

The most annoying “security” feature, is the secret question. I almost always just hit in a bunch of random characters on those. REALLY, secret question should be optional, not required!!

But its no worse then pointless CAPTCHA’s, like the one found on this blog, design your own CAPTCHA system damn it, and only throw them out when a visitors behaviour reassembles that of a bot.

The “stop spam. read books.” CAPTCHA is paticuler useless, and should be avoided at all costs. In that it fails about 70% of the time, and annoys users. And in that its effectively digitalizing books, and not giving people anything in return for their efforts.

By: Stefan F

Stefan F — Thu, 25 Jun 2009 12:24:44 +0000

Nice article, but here is another idea: Even 4 characters may provides sufficient security if used with a max amount of wrong attempts – throttling down the number of brute force attempts from 1,000 per second to 5 per day makes a considerable difference in you table ;)

By: Arjan’s World » LINKBLOG for June 23, 2009

Arjan’s World » LINKBLOG for June 23, 2009 — Tue, 23 Jun 2009 19:50:45 +0000

[...] Web Developers: Don’t Be Password Idiots – Ian Some important tips for implementing a password scheme on your website [...]

By: The Dave

The Dave — Tue, 23 Jun 2009 01:01:02 +0000

#6: Salt your hashes. For the love of jeebus, use salt. I don’t care what your blood pressure is, throw some salt on your hashes right here and right now.