Don’t limit your passwords

There is nothing more frustrating than seeing so many sites that put a ridiculously low upper limit on password length. Modern websites should be using modern password hashing, and every modern hash function handles long passwords just fine.

That’s not to say minimum length requirements are bad — something like “at least 8 characters” is a reasonable requirement. It’s also not a bad idea to require passwords to be more than just a single dictionary word. Finally, it’s sensible to put a large maximum length (e.g. 1000), simply to avoid someone trying to stall out your server code by making it hash a ton of data.

Beyond the most basic of minimum requirements, however, you really should take as much of a hands-off approach as you can. Many sites actually reduce the effective password strength for their users by forcing them to conform to arbitrary limitations. As xkcd nicely demonstrates, password strength isn’t about requiring weird combinations of characters but rather about overall entropy. The average user has a much easier time remembering entropy in the form of words and phrases rather than weird combinations of symbols.

That said, there’s also no reason to disallow special characters or spaces from passwords — since you’re never going to include a password directly in a database query or display it in a page, you don’t have to worry about special characters causing weird behavior. Disallowing characters buys you nothing and makes it harder for users to choose passwords they’ll remember. If someone wants to use an entire poem for their password… let them!