|Assignee:||Alexander Blum||% Done:|
|Category:||-||Estimated time:||0.50 h|
|Target version:||Repertoire 1) Testing phase I|
Shall we enforce constraints on the passwords?
- Minimum character number (e.g. 8)
- Character set (e.g. capital, small, number, special character)
I assume this concept to be broken since ages.
The best measurement against the most stupid password would be a blacklist.
So, I propose a blacklist and minimum character number.
#1 Updated by Meik Michalke over 4 years ago
- Assignee changed from Meik Michalke to Alexander Blum
generally, i think that relying on passwords as the only means to protect access to online accounts is a thing of the past. we should keep U2F in mind to be added in the mid term (but not right now).
that said, demanding a minimal length (i'd vote for 10 instead of 8) in combination with a check similar to e.g. "john the ripper" should do it for the moment. guess that could be implemented using a blacklist, if that particular blacklist is defined reasonably and updated on a regular basis.