# Password Policies

A password policy defines different limitations for passwords and therefore has an impact on their creation process and security.


# Background

# Context

Password policies define different specifications for user passwords. A variety of these specifications can be found in the following sources:

The following requirements could be elaborated.

Requirement Possible implementation through a library?
Password is at least 12 characters long ✔️
Password can have a length of at least 64 and up to 128 characters ✔️
No password pruning
Allow all unicode characters ✔️
Password should not be under the most common ones
Password-Strength-Meter should support strong passwords ✔️
Historic passwords don't influence new ones
No periodical password changing enforced ✔️

Further requirements for the management of passwords which generally can not be implemented by libraries:

  • Browser password manager should be supported
  • Password-fields should offer a possibility to view the password again
  • User should be allowed to change their passwords

# Problems

  • The implementation of the above mentioned requirements
  • No all-in-one solution through frameworks and libraries

# Solution

# Technology


In order to fullfil the above requirements, a high level of configuration of the developer is required. Therefore: Use third-party apps which solve these issues!

# Node.js Libraries


To solve this problem, the usage of APIs like for example haveibeenpwned (opens new window) is recommended.

# Java

  • As seen in Node.js, Java also offers a library to define password policies. The library is called Passay (opens new window) and suffers from the same issues as seen above.
  • Furthermore, the Password-Strength-Meter library zxcvbn4j (opens new window) can and should be used.
Last Updated: 7/3/2022, 3:51:46 PM