Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Enforce Strong Password Requirements

  
  

Applies To

  • PHP

What to Do

Enforce strong password requirements.

Why

Requiring strong passwords prevents weak passwords from being used. Using strong passwords makes the application more resilient to password guessing attacks.

How

To enforce strong password requirements:

    1. Identify application requirements. Determine whether your application needs to have a customizable password complexity policy or if it's okay to hard-code password complexity requirements. Define secure defaults for password complexity options.
    2. Identify password changing code. Review your application to find code that is responsible for changing user passwords.
    3. (Optional) Let the user enter the password twice. It is a common practice to allow the user to enter the password twice to make sure that the user enters the new password correctly. This is important because the password fields are typically masked, so the user cannot see his input, and changing the password to an unintended one may leave the user locked out of his account. If this is implemented in your application, the password changing code should validate the two entered passwords to make sure they match.
    4. Check password length. Add code to the password changing function to check the password length for minimum and maximum limits defined by policy. For example:

if(strlen($password) < 8)
{
 //password is too short
}

if(strlen($password) > 20)
{
 //password is too long
}

    1. Check the password for numbers. Add code to the password changing function to check the password for numbers. For example:

if(!preg_match("#[0-9]+#", $password))
{
 //password does not contain numbers
}

    1. Check the password for lower-case letters. Add code to the password changing function to check the password for lower-case letters. For example:

if(!preg_match("#[a-z]+#", $password))
{
 //password does not contain lower-case letters
}

    1. Check the password for capital letters. Add code to the password changing function to check the password for capital letters. For example:

if(!preg_match("#[A-Z]+#", $password))
{
 //password does not contain capital letters
}

    1. (Optional) Check the password for symbols. If your application requires it, add code to the password changing function to check the password for symbols. For example:

if(!preg_match("#\W+#", $password))
{
 //password does not contain symbols
}

 

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics