Topic: Requirements for user login passwords  (Read 12816 times)

We received a complaint from a few users who stated that during the creation of a new user account they were unable to set their preferred passwords. All users had been using a particular password for many other systems without any problem, but when they tried to set their password, an error message popped up (see Image 1). In consequence, they claim that they were forced to create a password of high complexity and/or one that was difficult to remember. 

What solution can we offer to those users?

Is there any option to change the requirements for the passwords?

Please note that every ConfTool installation does not only contain personal data, but usually also research results and other intellectual property and/or registration information. Therefore, it’s absolutely necessary to control access to the system.

As displayed in the error message, the password of each ConfTool user account must have at least five (5) characters. Furthermore, itis case sensitive. Passwords usually must include at least one letter (a–z) and one number (0–9). Moreover, the system checks whether the password entered appears in a blacklist containing about 500 of the most common passwords, like "password", "secret", "123456" or "qwert". These passwords are considered rather useless, as they can be guessed or hacked too easily.

However, you can change the strength of the password on this page:
Overview => Settings => Settings for User Registration => Security Settings for User Registration and Management
Please use the option "Password Requirements" There are three settings; we recommend using at least the default setting "Medium" (see Image 2).

We (and security experts) would strongly advise to always create and use 'strong' passwords as one of the most important way for system security. These passwords should be easy to remember, but difficult to guess by humans and computer programs.

Consequently here are some useful recommendations:
  • Never use the same password for all system you use, use different passwords. History shows that many systems are hacked earlier or later, and if you also use your password for other webpages, hackers can use this information to log in to your accounts on other systems.
  • A password should never be a single word found in the dictionary (in any language) or common keyboard sequences.
  • Automatic "password cracker" programs check for complete dictionary words in a row, so it is useful to modify dictionary words ("musyc" instead of "music"). But please be informed that even "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" or "$" for "s".
  • Avoid including personal or biographical information like names or the day of birth of anyone you know.

Considering the period individuals usually use ConfTool for a specific conference, you don’t need to change your password periodically. But please try to create a unique password for the login into ConfTool only.

Usually 'strong' passwords are difficult to remember, but there are many tricks to make this easy. For example the website "wikiHOW" has several suggestions to "Create a password you can remember".
The website "18F Handbook" provides some recommendations to create and maintain secure passwords.

A very detailed description of 'strong' passwords can be found here: Wikipedia.
Finally, here is a list of 500 very common passwords.