[Owasp-cheat-sheets] Authentication Cheat Sheet - Password length

Jim Manico jim.manico at owasp.org
Thu Aug 30 15:32:49 UTC 2012


Good catch and well said. Do you have a sec to fix this on the wiki?

Aloha,

--
Jim Manico
(808) 652-3805

On Aug 30, 2012, at 1:09 AM, "Paweł Krawczyk" <pawel.krawczyk at hush.com>
wrote:

I was just reading
https://www.owasp.org/index.php/Authentication_Cheat_Sheet

Password Length

Longer passwords provide a greater combination of characters and
consequently make it more difficult for an attacker to guess.

*Important applications*: Minimum of 6 characters in length.

*Critical applications*: Minimum of 8 characters in length. (consider
multi-factor authentication)

*Highly critical applications*: Consider multi-factor authentication



Isn't that somewhat outdated? I wouldn't recommend minimum 6 character
passwords to any applications. Looking at available evidence I would
recommend the minimum to be nine characters for new applications and eight
for existing.

http://arstechnica.com/security/2012/08/passwords-under-assault/4/



-- 
Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959

_______________________________________________
Owasp-cheat-sheets mailing list
Owasp-cheat-sheets at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20120830/8236ae75/attachment.html>


More information about the Owasp-cheat-sheets mailing list