Currently, the only requirement on FAS passwords are that they are at least 8 characters long. Should we make this stricter?
The folks at University of Amsterdam [http://staff.science.uva.nl/~delaat/sne-2009-2010/p34/report.pdf recommend] the following:[[BR]]
Nine or more characters with lower and upper case letters, digits and punctuation marks.
Ten or more characters with lower and upper case letters and digits.
Twelve or more characters with lower case letters and digits
They make another recommendation that passwords expire in a 1/5th of the time required to brute force a key space.
We decided to go with the suggestions in comment 1.
Should we leave this open for implementation? Or close it out?
Remove meeting, will implement this in git soon.
Let's leave it open and mark it easyfix. It's a fairly self-contained change to fas.
The website should specify what the maximum password length is (and what characters are allowed), but it currently doesn't AFAICT. (I use a password manager, and whenever a website tells me what the maximum length is, I generate a random password of exactly that length for it.) And if possible, please make sure the key space is large enough that people who take advantage of it aren't forced to change password more than once every couple of years.
For all lowercase characters, minimum length of 20 was suggested at the meeting.
There shouldn't be a maximum length (even currently).
I've tested that a 104 character string hashes differently than a 103 character truncation of that.
Done and deployed.
to comment on this ticket.