On Mon, Oct 13, 2014 at 11:27 AM, Jessica Hamilton < jessica.l.hamilton@xxxxxxxxx> wrote: > > Hi, > > I noticed that we use an archaic password policy in HaikuDepot[1]. > > Can we please change this to use actually strong[2] passwords instead? > > We should at the very least drop the requirement of caps & symbols > (obviously users can still use these if they desire, not that they add > significant entropy). > > And at a minimum, increase password length to say 19 characters? This 19 characters? That seems a bit much to me, personally. I think it starts to go into the realm of ridiculousness once you are hitting 14 characters or so, although 12-16 characters looks like the sweet spot to me at this point in time. I agree that caps and symbols don't buy you much as password length is much more important to providing password strength. How does everybody else feel about this? I think something like a minimum length of 10 characters with one letter (upper or lower case) and one number being required. That would likely work out better than the current solution of 8 character minimum with 2 upper case and two numbers being required. Also, I didn't test this yet, but preventing login attempts from happening in rapid fire fashion will go a long way as well. I found this site to be helpful for me when I was choosing my own personal password policy that was a good balance between strength and convenience (when I have to enter passwords on a mobile device, for instance). https://www.grc.com/haystack.htm - joe