Vanilla's password strengths have two requirements: length and complexity.
- The default password length must be a minimum of 6 characters, but can be increased as a support request using the
Garden.Password.MinLength setting. - The default password complexity is set to 2 which is fairly low, but we don't recommend changing this because password complexity is fairly difficult to explain to users and they can become frustrated trying too many passwords. The good news is that password complexity increases when the length increases so increasing the minimum password length will also increase password complexity.
Are Vanilla's default password requirements high enough for my site?
To some security researchers, Vanilla's default password requirements may seem a bit low. We had long discussions over password requirements when implemented and used the following reasoning.
- Too onerous of password requirements will prevent some people from registering. We actually played with requirements earlier in our product's lifecycle and saw a significant drop in registration when password complexity was increased too high.
- We rate limit signing in to roughly one attempt per second. This technique mitigates against brute force password guessing attempts.
- Users can still choose a strong password! We try to empower users to choose a stronger password by showing them the complexity of their choice a they type it.
Why doesn't Vanilla require specific characters in passwords?
Some sites have a "one of each character" type password requirement. is not consistent with current best practices for the following reasons:
- Character variety has less impact on password guess-ability than password length.
- Onerous password requirements often conflict with password manager random password generation which ends up making passwords less secure overall.
- Customized password requirements also presents a localization issue as a configurable password requirement would have to be explained to users and thus translated into multiple locales.
We calculate password complexity using a combination of password length and character uniqueness. If you will notice though, length is the most important determination of password complexity.