I would go further than this: don't get clever with logging in. Here's a list of "don't"s:
- DON'T arbitrarily restrict my password from being too long
- DON'T arbitrarily restrict me from using special characters
- DON'T arbitrarily me require to use certain classes of characters (eg 1 uppercase, 1 lowercase and 1 number as a requirement; see https://xkcd.com/936/)
- (this is a big one) DON'T TRY AND STOP ME PASTING MY PASSWORD. I can't tell you how infuriating this is.
Login forms aren't hard yet the desire to "add value" with little restrictions and tweaks (because security) is maddening.
Chamberlain who make smart garage doors under their own and the Lifemaster brand fail almost all of these. Here's a gem from their sign up page[0]:
<input autocomplete="off" oncopy="return false" onpaste="return false" data-val="true" data-val-length="The Password must be at least 8 characters long." data-val-length-max="100" data-val-length-min="8" data-val-regex="The field Password must match the regular expression '^(?=.{8,})((?=.*\d)(?=.*[a-z])(?=.*[A-Z])|(?=.*\d)(?=.*[a-zA-Z])(?=.*[\W_])|(?=.*[a-z])(?=.*[A-Z])(?=.*[\W_])).*'." data-val-regex-pattern="^(?=.{8,})((?=.*\d)(?=.*[a-z])(?=.*[A-Z])|(?=.*\d)(?=.*[a-zA-Z])(?=.*[\W_])|(?=.*[a-z])(?=.*[A-Z])(?=.*[\W_])).*" data-val-required="The Password field is required." maxlength="128" placeholder="Create Password*" type="password">
Passwords need to be at least 8 characters in length and must contain at least 3 of the following 4 types of characters: uppercase letter, lowercase letter, number or symbol.
The blocking of copy/paste in particular was irksome, but the whole thing is almost every bad security practice all rolled into one.
A good idea is just to follow NIST SP 800-63B rules and recommendations for passwords (“memorized secrets”) unless you have a really compelling reason to deviate from it. And to be extremely skeptical if you think you have such a reason.
This actually includes all of your rules and others, such as excluding use of password hints and server-specified “security questions” (which are just a kind of weak password used to protect a stronger password), and accepting Unicode.
And if anyone raises a concern about accepting and transferring arbitrarily long passwords to the backend: Just take a quick digest hash of it on the client side (SHA512 or something) and send that UNcryptographic hash of the password to the backend to be properly cryptographically hashed there like regular. The digest hash becomes the password and the user is happy to not encounter any arbitrary restrictions on length.
While I agree with your points, wholeheartedly, someone shared this browser add-on/extension with me that has been a lifesaver for overcoming copy/paste blocking. The name is great too.
I use Don't Fuck With Paste. Unfortunately you don't have this level of control with apps. I've seen more than one app where I can't paste in my password. I see absolutely no reason for this.
> must be at least 8 characters, but no longer than 30 characters, with at least 1 number, but no more than 15 numbers, with the first characters not being a number or symbol and various special characters being forbidden.
- DON'T arbitrarily restrict my password from being too long
- DON'T arbitrarily restrict me from using special characters
- DON'T arbitrarily me require to use certain classes of characters (eg 1 uppercase, 1 lowercase and 1 number as a requirement; see https://xkcd.com/936/)
- (this is a big one) DON'T TRY AND STOP ME PASTING MY PASSWORD. I can't tell you how infuriating this is.
Login forms aren't hard yet the desire to "add value" with little restrictions and tweaks (because security) is maddening.