R – what are common username and password policy

authenticationsecurity

Edit Jan 18th 2010,

Is there any symbol that should NOT be allowed to use in a password?

=========================================

Hi,

I am wondering what 'common' policy out there for username/password for creating a new account on a website.

This is currently what I have:

===========For username ==================
Length between 6 and 20 characters
Spaces are not allowed
Usernames are case sensitive

can contain lettlers, numbers, and symbols

* Uppercase letter (A-Z)
* Lowercase letter (a-z)
* Digit (0-9)

can not change after registration

===========For Password=============
6-20 chars long
can contain lettlers, numbers, and symbols

* Uppercase letter (A-Z)
* Lowercase letter (a-z)
* Digit (0-9)
* Special character (~`!@#$%^&*()+=_-{}[]\|:;”’?/<>,.)

password is encrypted in the database
password can be sent to the email address when requested

Thanks

Best Solution

For username you can make it case sensitive but I probably wouldn't allow 'similar' matches. For example it would be annoying to have these usernames on the site as all difference account: Luigi LUIGI luIgI LUigi

It could lead to griefing (people using similar account names to mock/harass someone). And it will just be confusing. And it causes problems when you have similar characters ilike l I i 0 o O.

I would rather use an email address as a username though since they will remember it. It is annoying having different usernames for lots of different sites. Email addresses are guaranteed to be unique :)

The password restrictions seem fine. As for that it is just a matter of how strong you want to force their passwords to be. Although, I would not send passwords through email. Email is insecure and the reset password method is preferred here.

Related Solutions

C# – Validate a username and password against Active Directory

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

Update:

As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)

Android: Storing username and password

Most Android and iPhone apps I have seen use an initial screen or dialog box to ask for credentials. I think it is cumbersome for the user to have to re-enter their name/password often, so storing that info makes sense from a usability perspective.

The advice from the (Android dev guide) is:

In general, we recommend minimizing the frequency of asking for user credentials -- to make phishing attacks more conspicuous, and less likely to be successful. Instead use an authorization token and refresh it.

Where possible, username and password should not be stored on the device. Instead, perform initial authentication using the username and password supplied by the user, and then use a short-lived, service-specific authorization token.

Using the AccountManger is the best option for storing credentials. The SampleSyncAdapter provides an example of how to use it.

If this is not an option to you for some reason, you can fall back to persisting credentials using the Preferences mechanism. Other applications won't be able to access your preferences, so the user's information is not easily exposed.

Best Solution

Related Solutions

C# – Validate a username and password against Active Directory

Android: Storing username and password

Related Question