duffn
Suggest standard test cases
Figure out the actually allowed characters
- Are letters allowed?
- Are digits allowed?
- Are spaces allowed?
- Which ASCII punctuation characters are allowed?
- Which non-ASCII characters are allowed?
Figure out the actually allowed length
- Minimum length
- Maximum length in characters
- Maximum length in bytes (only applies if non-ASCII characters are accepted)
Figure out if all characters are relevant
- Are non-ASCII characters distinguishable, that is, is
abcÄÄÄa different password thanabcÖÖÖ? - For long passwords, is the last character actually relevant, or can you log in even without it?
These are just a few ideas, I'm sure there is already an "official" list of this approach. This approach could be linked in the main document.
Thanks for your recent contributions.
Are you suggesting here an official way to identify bad password rules?
Yes, kind of. I am just trying to summarize the findings from the individual sites that are listed on the front page.
See also https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md, which has more reputation than my quickly made-up list of things to test.
Would it perhaps be an idea to use a format similar to the Apple Password Rules Validation Tool?
required: lower; required: upper; required: digit; required: special; minlength: 20;
That's a possibility, though I'm not certain I want to or have the time to make the repository more complex at the moment.
I think I will stick with the mostly arbitrary way the site is right now. I'm not interested in putting a strict set of rules around what should and shouldn't make it on the list.