There are too many guidelines for passwords. Actually, that’s not true. Too many supposedly “secure” institutions, do not allow for proper passwords. I propose a “seal of approval” for websites that allow for proper passwords.
What’s a proper password? Well…
Here’s the bullet list that every site that allows passwords should adhere to.
- Any character should be allowed including
- Single quotes
- Double quotes
- Back Tick
- Question Marks
- Basically, any character I can type that will show up in a text editor should be allowed.
- Passwords should have a maximum length of greater than 64 characters. A maximum length of 192 should be fine.
- Passwords should have a minimum length of 12 characters
- A mix of UPPERCASE, lowercase, Num83r5 and $ymb@!$ should be required.
- Passwords shorter than 20 characters can not use any entries present in a rainbow table.
With this system, systems would be much more secure. To drive this home, I would propose that websites utilize a system similar to the Verisign seal where they can identify themselves as adhering to and supporting these password guidelines.
Following this proposal, here is an example of passwords that would probably be considered good, but actually aren’t:
- hb&6NV0z]2 – Too short
- qmc09^7a82nv82% – No upper case
- QuiltedApple4Me! – Shorter than 20 but using words
Here are some passwords that would be acceptable:
- 7ynJCJvM)6rpedsIX?G – Shorter than 20, but no words
- My 2015 bicycle is fun! I like green grass. – Contains words, but longer than 20 characters. Notice it contains spaces too!
- SampleSQLInjection123′;DROP TABLE USERS;’ – Classic SQL Injection example, but should still be a valid password.