Passwords, Passphrases, and validation

In my old blog, I wrote about a post by one of my Microsoft colleagues recommending the use of passphrases rather than passwords for Windows security. One problem that I've run into with using passphrases (or long/complex passwords) is that some applications use validation that limits the length and/or complexity of passwords, or prevents the use of certain characters. Some examples:

- The blogging software I'm using right now rejected spaces in the username in an earlier build. Thankfully, this has been corrected.

- A bank web site that I use does not allow the use of special characters (such as _) in passwords.

All I can say about such limitations is DON'T DO IT!!!

Limiting the length and/or complexity of your users' passwords is a great way to make it more difficult for your users to be secure. If you must impose some limitations, make sure that you inform your users what those limitations are, and be absolutely sure that there is not any existing user data that does not fit those limitations. The last thing you want is to prevent a user with an existing account from logging in because your validation doesn't like their existing account credentials.

Personally, I think that it's more important to ensure that credentials are validated when they are added, rather than when the user logs in. It's important to ensure that credentials (particularly passwords) meet your requirements for length and complexity (i.e. - neither too short, nor too simple) before you allow the user to register. But if you validate credentials for length/complexity when logging in, you may inadvertently provide potential attackers with information that could help them to guess usernames and passwords. Perhaps not a huge risk, but worth considering nonetheless.