Your password need to be between 8-16 characters length, number, lower and uppercase and a special character, no repeating characters.
In my opinion, the policy above is a good policy which can prevent new users away. If your site content is not very valuable, I can guarantee it will drive them off. Why? Isn’t the policy will protect the user from being hacked?
Complicated password is not always more secure
It’s false security if you store password un-encrypted
Don’t store the user password un-encrypted (plain text). It will expose risks not only to every account in your site, but the same user account in other sites will be exposed to risks as well.
The most common user authentication in sites is username/password or email/password. People usually use a same password to several accounts. So by getting the username, email and password of a user, someone can try to use the combination to other accounts as well, such as websites like web mails, paypal, forums, etc. Rather than having complicated policy, store your password encrypted!
Prevent bruteforce and dictionary attack!
No matter how simple a user password is, you still need to guess it to match it. Or in hacking, the common method used to guess password is bruteforce, or the more organized dictionary attack. If your site can prevent bruteforce, you already improve the account security. If your site can be attacked with brute force, your site are the one to blame.
There are many ways to prevent brute force attack. Some examples are captcha and cookie locking.
Simpler, longer password can be more secured
XKCD explained this amazingly. Now that we know bruteforce and dictionary attack are common method at hacking. Additional length in the password will give much more better protection against bruteforce rather than 8 characters consist of different letter case, number and special chars. That is because of the number of combination is increased dramatically with every character added.
Even more amazing, the XKCD method above already assume that the hacker knows the password generation algorithm, and still having the same strength as 7-character password with a completely random mix of letters, numbers, and digits. If the assumption is taken away, the strength and amount needed to crack that password will be astronomically much higher.
Please note that I don’t say the additional of lower/upper case, number and special characters are useless in password generation. The point of my writing here is that those complicated algorithm may be replaced by something simpler without reducing the strength.
The importance of account is determined by user, unless…
The importance of an account for someone is determined by the user itself. Exception apply here in case if your site is involved in financial activity such as paypal, or that someone can easily imitate other such as facebook and twitter. Other than that, the importance of user account is determined by the user itself and complicated password policy is not needed there.
So what policy is good policy?
Personally, I think there are several policy rules that is useful and not bothering the user. Minimum of 6 characters length limit is common in every account authentication that it’ll bring no harm nowadays. That policy alone is not sufficient, since users can still use common password that is easy to guess like: 123456, abcdef, qwerty, password, yyyymmdd. The next useful policy is to restrict user from using such easy-guessing password. It won’t bothering the user and at the same time improve the security.
Don’t use over complicated password policy. Bruteforce countermeasure can prevent simple passwords from being cracked. Complicated passwords are useless if the site stored them in plain text and get hacked. Simpler, longer password can provide same to better security. Not every user will matter if their account in some site is getting hacked, and some non-complicated policy can much improve the security instead of complicated one.