Password Best Practices

The biggest security hole on your website is your login form.Â If you allow weak passwords, then it does not require special hacker tricks to break in to your website - a simple password guessing program will do the job just as well.

The following password types are weak and can often be guessed by simple password-guessing programs:

common names
words that can be found in the dictionary
common letter or keyboard sequences such as "abc" or "asdf"
any short sequences of letters
short PIN numbers - for example a 3-digit pin will require a maximum of 1000 guesses, which a program can do in a very short amount of time

ExSite tries to detect these cases, and depending on your security settings, may not allow such weak passwords.Â If your password is rejected as too weak, you can make it much stronger with some minor changes, such as:

using more characters (for example, a pass-phrase instead of a pass-word)
mixing letters, numbers, and punctuation
using mixed case
avoiding dictionary words

Examples:

PASSWORD	Â NOTES
password	very weak
password1	one of the most common passwords in general use - but still quite weak
pA55-w0rd!	strong
maryjane	weak - uses common names
Mary-Jane	stronger - due to mixed case and punctuation
2 b or not 2 b	strong
K&x9#uv)+-?	extremely strong, but a nuisance to remember and type :-(

Note that ExSite requires administrator passwords to be stronger than those of regular users.

ExSite's password strength requirements can be adjusted if you want to relax them and allow for weaker passwords.Â However, you should be aware that weaker passwords means a weaker website.Â You should always consider your obligations and liability with respect to protecting your clients' personal information, before bowing to users' demands to allow them to use weak passwords.