The passwords tag has no wiki summary.
30
votes
9answers
1k views
Are there any valid reasons for disallowing characters and limiting the length of passwords?
I've come across quite a few sites that either limit the length they allow passwords to be and/or disallow certain characters. That's limiting to me as I want to widen and lengthen the search space of ...
26
votes
14answers
887 views
What if the client needs the ability to retrieve passwords?
I've currently inherited an application at work and to my dismay, I have realized that the user passwords stored in the database are encrypted using an in house encryption function, which also ...
17
votes
7answers
348 views
Citations for inadvisability of globally unique password
I am having a disagreement with someone (a client) about the user identification/authentication process for a system. The nub of it is that they want each user to have a globally unique password ...
13
votes
13answers
593 views
How do you keep track of all your passwords? [closed]
I'm going to ask this question at the risk of someone exposing me their own personal algorithm, if that's what you do please don't post that!
I'm interested in learning what software you use to ...
12
votes
8answers
1k views
Is an 'if password == XXXXXXX' enough for minimum security?
If I create a login for an app that has middle to low security risk (in other words, its not a banking app or anything), is it acceptable for me to verify a password entered by the user by just saying ...
11
votes
8answers
935 views
Punishing users for insecure passwords
I'm thinking about limiting the rights of users who choose insecure passwords (insecurity of a password being determined by length, how many types of characters (upper/lower case, numbers, symbols, ...
8
votes
5answers
539 views
“Forgot Password” - How to handle this?
I read this answer http://programmers.stackexchange.com/questions/15350/why-do-websites-restrict-the-number-choice-of-characters-in-a-password/15351#15351 and found a comment insisting not to send ...
8
votes
6answers
677 views
Why do websites restrict the number & choice of characters in a password?
Registering on an insurance company's website right now, and my password is 16 characters long, using a nice variety of letters, numbers, special characters, etc. However, here's their list of ...
7
votes
8answers
531 views
What is a reasonable and secure password requirement for user registration?
This is the password policy I just got from UPS (just for package status checking):
Your password must be between 8 and 26 characters long. It must
contain at least three of the following ...
7
votes
3answers
188 views
Storing passwords for usage in scripts
There are few situations that require users to provide their password while automating things during development process. Site deployment is only one of the common situations. Creating dmg files under ...
7
votes
8answers
563 views
Are you obliged to provide old employers with access to protected resources?
Firstly, a disclaimer. This question is not because I'm a disgruntled employee planning to hide some malicious code which I can later blackmail my employer with. I actually quite like the people I ...
6
votes
7answers
235 views
Password hashing and support to your user
We've recently moved to a better password storage strategy, with it came all the good stuff:
Passwords are stored after going through bCrypt
User is sent an activation link on account creation to ...
5
votes
3answers
301 views
Is there any legislation requiring how we store passwords?
Given the Sony data breach and other events recently, is there any actual laws or regulation regarding how to store passwords? I think there are with credit cards, you're not allowed to store the 3 ...
5
votes
1answer
277 views
Is there an official standard regarding user password storage practices?
I recently used a government service that I had an account for from years ago. I couldn't remember my password for the service so I used the "forgot password" link and was astonished to see that this ...
5
votes
4answers
502 views
Facebook - Isn't this a big vulnerability risk for users? (After Password Change)
I would like to know you opinions as programmers / developers.
When I changed my Facebook password yesterday, by mistake I entered the old one and got this:
Am I missing something here or this is ...
