When it comes to users settings their own passwords, there is a very fine line between being an insecure password that is easy to crack and a secure one that, in turn, is difficult to remember.
Tips for Developers
When developing a password protected area, it is important to remember the following when it comes to password constraints:
- Set a minimum password length that is clearly labeled to the user.
- Do not set a maximum password length.
- Set a blacklisted set of words. Eg. ‘password’, the users name, etc.
- Use a scoring system that updates itself as the users is typing. The higher the number, the stronger the password.
Another important point is to not force users to change their password all of the time. This should only really be required if the user’s account has been compromised in any way. A number of incorrect login attempts is a good indicator of this. A good rule would be to lockout a user after ten failed login attempts.
Having the options of showing a user their password as they type can be quite beneficial. However, it is a good idea to have this turned off by default and allow for the user to switch it on themselves. This is just in case they are using a public computer with people in the area.
Allowing users to be able to copy and paste passwords is important as they may be using a password manager that has complex password strings set.
Whenever a user needs to reset their own password it is a good idea to email them a password reset link. Using techniques such as password reminders and questions should be avoided as these can sometimes be easier to guess than a password.
Tips for Users
When it comes to users setting their own passwords a few helpful hints can go a long way to securing their personal information.
For us, it is best to set a password in the form of a sentence rather than just a single word. For example, think of a favourite holiday, the person you were with and the year you went. This password could then be ‘LakeDistrictRachel2017’. As you can see, using this simple structure can make something that is very memorable for you but very difficult to guess from a brute-force password attack. You could add spaces or dashes to make the word readable for you but also making it more secure in the process.
Another good tip is to use the above method but add the name of the website you’re using to the end. For example an eBay password could be ‘LakeDistrictRachel2017ebay’. This helps you to have a unique password but keeping it memorable for yourself.
It’s all well and good having these strong and secure passwords but we’re not machines and sometimes we forget. Especially when we haven’t used a service for a long time or we get used to browsers storing them for us. This is why, at Blumilk, we use 1Password to manage all of passwords, credit card details and user licenses.
It’s a great service as it allows for our development team to have access to a clients website wherever we may be.