I’ve just registered the domain of passwordstandards.com as part of a new project. The goal of the endeavor is to call attention to online services that don’t allow their users to select decently strong passwords. This is especially crucial for services that are financial in nature or maintain other types of sensitive information.

Project Clarification

First things first — the main focus of this site is to allow users to select strong passwords, not to disallow them from selecting weak ones. Prohibiting weak passwords is important as well but will not be the focus of the project.

Basic Goals

• Maintain a list of offenders and regularly “encourage” those on the list to improve
• Have a few categories for the sites listed, e.g. financial, personal, etc.
• For each site show the existing, weak standard that they support, e.g. no capitalization, or no special characters
• Provide an interface for the community to submit sites for addition or deletion

The Mission Statement

So let’s agree on a general project statement. Here’s what I’m thinking:

Any online service that requires a login should allow security-conscious users to select strong passwords. If security is not a concern for your service then don’t require a password. If it is a concern then allow users to create a decent one.

Please allow at least the following:

1. Ten (10) total characters in length
2. Lowercase and uppercase letters
3. Numbers (0-9)
4. Basic special characters (to be agreed upon)

Thoughts?

A few I’ll still interact with through my mail client, i.e. those that I participate actively in more often, but for the majority of them I’m going to be moving to RSS. Here’s a short list of feeds you might want to look at:

• Bugtraq
• Full Disclosure
• Nmap Hackers

And here’s a comprehensive list from seclist.org.

Link: OpenSSH Donation Pledge Drive