Confirmed users
491
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
Jump to navigation
Jump to search
WebAppSec/Secure Coding Guidelines (view source)
Revision as of 21:55, 4 January 2011
, 4 January 2011→Password Complexity
| Line 27: | Line 27: | ||
===Password Complexity=== | ===Password Complexity=== | ||
All sites should have the following base password policy: | |||
* Passwords must be 8 characters or greater | * Passwords must be 8 characters or greater | ||
* Passwords must require | * Passwords must require letters and numbers | ||
====Critical Sites ==== | |||
Examples: addons.mozilla.org, bugzilla.mozilla.org, or other critical | |||
sites. | |||
Critical sites should add the following requirements to the password policy: | |||
* Besides the base policy, passwords should also require at least one or | |||
more special characters. | |||
==== Global Disallowed Passwords ==== | |||
We should have lists where people pull from where user users can't use | |||
these passwords. Right off the bat, we should disallow "password" and | |||
anything like it such as "p@$$w0rd". | |||
* http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time | |||
===Password Rotation=== | ===Password Rotation=== | ||