LoginRegisterCommercial SupportContact Us


Development & IT > Password Best Practices

Password Best Practices

posted on 11:31 AM, December 2, 2009
password.jpg

The biggest security hole on your website is your login form.  If you allow weak passwords, then it does not require special hacker tricks to break in to your website - a simple password guessing program will do the job just as well.

The following password types are weak and can often be guessed by simple password-guessing programs:

  • common names
  • words that can be found in the dictionary
  • common letter or keyboard sequences such as "abc" or "asdf"
  • any short sequences of letters
  • short PIN numbers - for example a 3-digit pin will require a maximum of 1000 guesses, which a program can do in a very short amount of time

ExSite tries to detect these cases, and depending on your security settings, may not allow such weak passwords.  If your password is rejected as too weak, you can make it much stronger with some minor changes, such as:

  • using more characters (for example, a pass-phrase instead of a pass-word)
  • mixing letters, numbers, and punctuation
  • using mixed case
  • avoiding dictionary words

Examples:

PASSWORD  NOTES
password very weak
password1 one of the most common passwords in general use - but still quite weak
pA55-w0rd! strong
maryjane weak - uses common names
Mary-Jane stronger - due to mixed case and punctuation
2 b or not 2 b strong
K&x9#uv)+-? extremely strong, but a nuisance to remember and type :-(

Note that ExSite requires administrator passwords to be stronger than those of regular users.

ExSite's password strength requirements can be adjusted if you want to relax them and allow for weaker passwords.  However, you should be aware that weaker passwords means a weaker website.  You should always consider your obligations and liability with respect to protecting your clients' personal information, before bowing to users' demands to allow them to use weak passwords.