Set a minimum password length of 12 characters.
Web Application Security: Passwords Checklist is a guide to enforcing strong password policy and security best practices with your applications.
Web applications require multiple layers of security and passwords still play an important role when securing your web application.
Require users to set passwords to a complexity match which at least has all of the following criteria: Uppercase, Lowercase, Numbers, and Symbols.
When storing password at rest, use strong one-way hashing algorithm/scheme along with a randomly generated salt per password.
Verify that the password registered or updated by my users aren’t using a password found in the top 1,000 (or 10,000) breached passwords.
NOTES:
- Don't force users to periodically rotate/change their passwords
- Allow users to paste, use the browsers password helper, and user password managers while using my application
Passwords checklist has been submitted to us by Geekmasher based on the NIST 800-63 standards.