I've been trying to follow the OWASP recommendations for authentication. In particular:
Applications should enforce password complexity rules to discourage easy to guess passwords. Password mechanisms should allow virtually any character the user can type to be part of their password, including the space character.
Passwords should, obviously, be case sensitive in order to increase their complexity (this is already be handled in our system by use of password_hash functions)
Password must meet at least 3 out of the following 4 complexity rules
1) at least 1 uppercase character (A-Z)
2) at least 1 lowercase character (a-z)
3) at least 1 digit (0-9) 4) at least 1 special character (punctuation) — do not forget to treat space as special characters too
4) not more than 2 identical characters in a row (e.g., 111 not allowed)
Ideally, the application would indicate to the user as they type in their new password how much of the complexity policy their new password meets. In fact, the submit button should be grayed out until the new password meets the complexity policy and the 2nd copy of the new password matches the 1st. This will make it far easier for the user to understand and comply with your complexity policy.
Some questions:
Do you guys [man]trim[/man] passphrases?
Given that all user input is typically UTF-8 these days, do we allow users to use non-latin chars? Seems like a really good idea to me for password complexity but not necessarily for data portability.
Any thoughts on regexes to:
recognize that Å qualifies as uppercase and å is lowercase, etc. for non-latin chars?
recognize 3 or more identical chars in a row?
* recognize the presence of a 'special character' without getting too constrictive?
What logic do you suggest to create one of those 'password strength' meters? I'm guessing that we increase the meter's value once each rule gets matched...
That last point is really important to me personally. I've been infuriated that a certain financial website I use doesn't permit a commonly used puncuation mark that I like to use. It's maddening.
Also welcome are Javascript techniques for this as the guidelines encourage immediate feedback for the user while they enter their passwords. I think it's important that we match our PHP rules with corresponding JS.