3

I'm making an open-source web app that has login stuff in it.

I want to check on the server if the password is 'secure' (at least 8 characters, etc.).

The thing is that I'm not sure if I need something more than check for:

  • at least 8 characters.
  • uses numbers/special characters.
v0idifier
  • 31
  • 2
  • 1
    That depends on your security requirements and can't be answered definitively. We have lots of password-related questions here that might help you further. – Arminius Aug 29 '17 at 22:35
  • Can you have provide a little more information such as OS Type, server password role etc? – Joe Aug 29 '17 at 22:39
  • 2
    Terminology: I believe you wish to check to see if a password is *strong* (not secure). – John Wu Aug 29 '17 at 23:03
  • @Joe Whoops, I didnt really specify what I was talking about. See the edits – v0idifier Aug 29 '17 at 23:29
  • 8 character doesn't prevent dictionary attacks and [pwned passwords](https://haveibeenpwned.com) – Xaqron Aug 30 '17 at 00:10
  • I'm really not sure what you are asking. Are you asking for a password complexity policy that you want to enforce, or do you want to know how to enforce a password policy in your app? Checking strings is a simple programming question. As for what password policy to use, there are numerous documents and standards that have been published that you can use. – schroeder Aug 30 '17 at 11:43
  • @schroeder I mean, a password policy. – v0idifier Aug 30 '17 at 11:51

1 Answers1

1

If not mistaken, you are asking how strong the server password(s) should be. As said in the comments, you are the only one who can answer that.

Those pages should help you out:

SEC.SE

Wikipedia

Microsoft

Nist

Not in the question range

Your password(s) policies should meet the security requirements you have wisely established after assessed the risks. Here is a basic plain scheme :

        0 security           security requirements button        super secure
                 <------------------------[]-----------------------> 
user super friendly                                               Not user friendly at all

Here is the general idea : you have to define the security requirements button position. It's more or less a compromise between the ease of access and the security.

Baptiste
  • 1,653
  • 10
  • 20