Password policy for user accounts

Posted on March 18, 2010 by Marcus.

My situation

You might have heard that I've lost my beloved smartphone. Due to this, I assume the person that found it might have got hold of several user accounts of mine.

In the last days I've revoked several SSH keys, changed credentials of server accounts and changed passwords of several accounts on websites.

If you ever come into this situation, you should start with your e-mail accounts. They usually contain your most private information, confirmations of account creations and perhaps passwords of user accounts. Then move on to e-commerce websites and change passwords there. Finally, change passwords of any other user account.

Of course, you should not have one password for all of your accounts. Before you ask, no I haven't had a one and only password for all of my accounts.

 

A draft of an ideal password policy

By changing my credentials, I stumbled over websites that have not any user interface to change passwords (contact support), websites that hide the user interface in the FAQ section, websites that allow only alpha-numeric passwords and nearly perfect websites in regards to password policy.

If you're building websites with user accounts, following suggestions will help you to make password policy user friendly.

• If the account requires an e-mail address, do not allow the user to change the address via an user interface! Such change should always require the user to contact the support. The support should verify the identity of the user requesting this change and might wait mandatory three days before applying the change. The support should send a notification mail to the old e-mail account that informs about the planned change of e-mail address. This period allows the account holder to interfere in case of credential compromise when the change request was initiated by the bad guy.
• Do not hide the user interface for changing the password. It should be part of a account/settings webpage reachable via one click!
• The interface of the password change should consist of one field for the old password and two fields for the new one (one for confirmation preventing spelling errors).
• Allow alphanumeric AND special characters for the password!
• Put a description text to the password fields that tells the user what kind of characters are allowed.
• Divide possible characters in four classes: numeric characters, lowercase alphabet characters, uppercase characters and special characters. Require at least three classes to be chosen from for the password and a minimum length of the password string.
• Put a graphical representation of the password strength next to the password field. This should calculate the mathematical entropy of the password string. Red, orange and green are nice colors to represent the strength.
• Inform the user via mail about the change of his password along with the IP address of the host that initiated the change!
• Do not send passwords via mail!

I've found out that Amazon and Ebay are nearly perfect in regards to password policy. It's up to you to take my suggestions and improve your website!

I'm awaiting your comments; any important point missing?