Why don't Twitter and Facebook enforce password complexity during sign up?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












If you try creating an account using your smartphone, these platforms don't seem to have strong password requirements. They both enforce a minimum 6 character limit and nothing else (I did however notice Twitter seems to filter out certain passwords like 111111 whereas this is a legitimate password on Facebook).



I can understand that enforcing strict rules such as uppercase, lowercase, number, and symbol can frustrate users and make passwords less memorable. However, I'm not convinced how the current password validation (or lack thereof) is a better choice.



If I'm creating a new app now, how should I approach this problem?






passwords password-policy facebook twitter







share|improve this question







New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • related: Facebook allows password + any character, Facebook password lowercase and uppercase.
    – Steffen Ullrich
    22 mins ago










  • The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know.
    – Steffen Ullrich
    20 mins ago











  • Possible duplicate of what are good requirements for a password, Recommended policy on password complexity, Are password complexity rules counterproductive?, Why do password strength requirements exist?.
    – Steffen Ullrich
    18 mins ago















up vote
2
down vote

favorite












If you try creating an account using your smartphone, these platforms don't seem to have strong password requirements. They both enforce a minimum 6 character limit and nothing else (I did however notice Twitter seems to filter out certain passwords like 111111 whereas this is a legitimate password on Facebook).



I can understand that enforcing strict rules such as uppercase, lowercase, number, and symbol can frustrate users and make passwords less memorable. However, I'm not convinced how the current password validation (or lack thereof) is a better choice.



If I'm creating a new app now, how should I approach this problem?






passwords password-policy facebook twitter







share|improve this question







New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • related: Facebook allows password + any character, Facebook password lowercase and uppercase.
    – Steffen Ullrich
    22 mins ago










  • The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know.
    – Steffen Ullrich
    20 mins ago











  • Possible duplicate of what are good requirements for a password, Recommended policy on password complexity, Are password complexity rules counterproductive?, Why do password strength requirements exist?.
    – Steffen Ullrich
    18 mins ago













up vote
2
down vote

favorite









up vote
2
down vote

favorite











If you try creating an account using your smartphone, these platforms don't seem to have strong password requirements. They both enforce a minimum 6 character limit and nothing else (I did however notice Twitter seems to filter out certain passwords like 111111 whereas this is a legitimate password on Facebook).



I can understand that enforcing strict rules such as uppercase, lowercase, number, and symbol can frustrate users and make passwords less memorable. However, I'm not convinced how the current password validation (or lack thereof) is a better choice.



If I'm creating a new app now, how should I approach this problem?






passwords password-policy facebook twitter







share|improve this question







New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











If you try creating an account using your smartphone, these platforms don't seem to have strong password requirements. They both enforce a minimum 6 character limit and nothing else (I did however notice Twitter seems to filter out certain passwords like 111111 whereas this is a legitimate password on Facebook).



I can understand that enforcing strict rules such as uppercase, lowercase, number, and symbol can frustrate users and make passwords less memorable. However, I'm not convinced how the current password validation (or lack thereof) is a better choice.



If I'm creating a new app now, how should I approach this problem?






passwords password-policy facebook twitter




passwords password-policy facebook twitter






share|improve this question







New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 33 mins ago









user246392

1112




1112




New contributor




user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user246392 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • related: Facebook allows password + any character, Facebook password lowercase and uppercase.
    – Steffen Ullrich
    22 mins ago










  • The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know.
    – Steffen Ullrich
    20 mins ago











  • Possible duplicate of what are good requirements for a password, Recommended policy on password complexity, Are password complexity rules counterproductive?, Why do password strength requirements exist?.
    – Steffen Ullrich
    18 mins ago

















  • related: Facebook allows password + any character, Facebook password lowercase and uppercase.
    – Steffen Ullrich
    22 mins ago










  • The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know.
    – Steffen Ullrich
    20 mins ago











  • Possible duplicate of what are good requirements for a password, Recommended policy on password complexity, Are password complexity rules counterproductive?, Why do password strength requirements exist?.
    – Steffen Ullrich
    18 mins ago
















related: Facebook allows password + any character, Facebook password lowercase and uppercase.
– Steffen Ullrich
22 mins ago




related: Facebook allows password + any character, Facebook password lowercase and uppercase.
– Steffen Ullrich
22 mins ago












The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know.
– Steffen Ullrich
20 mins ago





The question is not clear: in the title you ask why Facebook and Twitter allow lax passwords. In the question instead you ultimately ask how you should handle password complexity in your own application. Please align title and question to show what you really want to know.
– Steffen Ullrich
20 mins ago













Possible duplicate of what are good requirements for a password, Recommended policy on password complexity, Are password complexity rules counterproductive?, Why do password strength requirements exist?.
– Steffen Ullrich
18 mins ago





Possible duplicate of what are good requirements for a password, Recommended policy on password complexity, Are password complexity rules counterproductive?, Why do password strength requirements exist?.
– Steffen Ullrich
18 mins ago











1 Answer
1






active

oldest

votes

















up vote
2
down vote













Facebook and Twitter have very...specific, controversial security postures. They serve a broad market and the security space does not always appreciate everything they do. My recommendation for an app you're building might be not to follow Facebook and Twitter's examples in terms of security.



For resources, I recommend looking to OWASP first. If you're not familiar with OWASP, they're a collection of application security methods and best practices, giving visibility on the whole lifecycle - from conception and design through to pentesting. They lead the appsec industry and speak with a huge amount of (well-earned) authority.



All that being said, definitely checkout OWASP's information on password strength controls. If you're looking for help with password strength implementation, hopefully that should sort you out. (And while you're there, have a look at the OWASP top 10 for other helpful tips when it comes to building your app.)



Great question by the way. Good luck with the app!






share|improve this answer




















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    user246392 is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196989%2fwhy-dont-twitter-and-facebook-enforce-password-complexity-during-sign-up%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    Facebook and Twitter have very...specific, controversial security postures. They serve a broad market and the security space does not always appreciate everything they do. My recommendation for an app you're building might be not to follow Facebook and Twitter's examples in terms of security.



    For resources, I recommend looking to OWASP first. If you're not familiar with OWASP, they're a collection of application security methods and best practices, giving visibility on the whole lifecycle - from conception and design through to pentesting. They lead the appsec industry and speak with a huge amount of (well-earned) authority.



    All that being said, definitely checkout OWASP's information on password strength controls. If you're looking for help with password strength implementation, hopefully that should sort you out. (And while you're there, have a look at the OWASP top 10 for other helpful tips when it comes to building your app.)



    Great question by the way. Good luck with the app!






    share|improve this answer
























      up vote
      2
      down vote













      Facebook and Twitter have very...specific, controversial security postures. They serve a broad market and the security space does not always appreciate everything they do. My recommendation for an app you're building might be not to follow Facebook and Twitter's examples in terms of security.



      For resources, I recommend looking to OWASP first. If you're not familiar with OWASP, they're a collection of application security methods and best practices, giving visibility on the whole lifecycle - from conception and design through to pentesting. They lead the appsec industry and speak with a huge amount of (well-earned) authority.



      All that being said, definitely checkout OWASP's information on password strength controls. If you're looking for help with password strength implementation, hopefully that should sort you out. (And while you're there, have a look at the OWASP top 10 for other helpful tips when it comes to building your app.)



      Great question by the way. Good luck with the app!






      share|improve this answer






















        up vote
        2
        down vote










        up vote
        2
        down vote









        Facebook and Twitter have very...specific, controversial security postures. They serve a broad market and the security space does not always appreciate everything they do. My recommendation for an app you're building might be not to follow Facebook and Twitter's examples in terms of security.



        For resources, I recommend looking to OWASP first. If you're not familiar with OWASP, they're a collection of application security methods and best practices, giving visibility on the whole lifecycle - from conception and design through to pentesting. They lead the appsec industry and speak with a huge amount of (well-earned) authority.



        All that being said, definitely checkout OWASP's information on password strength controls. If you're looking for help with password strength implementation, hopefully that should sort you out. (And while you're there, have a look at the OWASP top 10 for other helpful tips when it comes to building your app.)



        Great question by the way. Good luck with the app!






        share|improve this answer












        Facebook and Twitter have very...specific, controversial security postures. They serve a broad market and the security space does not always appreciate everything they do. My recommendation for an app you're building might be not to follow Facebook and Twitter's examples in terms of security.



        For resources, I recommend looking to OWASP first. If you're not familiar with OWASP, they're a collection of application security methods and best practices, giving visibility on the whole lifecycle - from conception and design through to pentesting. They lead the appsec industry and speak with a huge amount of (well-earned) authority.



        All that being said, definitely checkout OWASP's information on password strength controls. If you're looking for help with password strength implementation, hopefully that should sort you out. (And while you're there, have a look at the OWASP top 10 for other helpful tips when it comes to building your app.)



        Great question by the way. Good luck with the app!







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 23 mins ago









        BoggleSmalls

        764




        764




















            user246392 is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            user246392 is a new contributor. Be nice, and check out our Code of Conduct.












            user246392 is a new contributor. Be nice, and check out our Code of Conduct.











            user246392 is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196989%2fwhy-dont-twitter-and-facebook-enforce-password-complexity-during-sign-up%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            What does second last employer means? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
            Read more

            List of Gilmore Girls characters

            Image
            The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
            Read more

            Confectionery

            Image
            Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
            Read more