Yo there,

I'm currently revamping my article site and I've decided to implement user registration for comments. No financial data's involved, just personal info. Still, you never know...

I'm thinking of having the site auto-generate passwords and email them out.

Could you shed some light on the ideal password length? I want to avoid password fatigue for users, but I also want robust security.

Also, should I include special chars in passwords? Do they truly bolster security, or is it just security theater? Wouldn't a longer password be more effective?

Are there any established password policies out there? How do you personally handle password creation?

Cheers

Password policies are often a joke. Users are going to use weak passwords no matter what, and hackers are going to find a way to crаck them. But hey, we have to pretend to care about security, right? So, go ahead and implement a password policy that requires a minimum of 12 characters, including special characters and numbers. Just don't expect it to make a difference.

As for auto-generated passwords, just use a decent random number generator and call it a day. Don't worry too much about the length or complexity, just make sure it's not something like "qwerty123". And for goodness' sake, don't store the passwords in plaintext. Use a decent hashing algorithm like bcrypt or Argon2, and make sure to salt the passwords properly. But let's be real, it's not like it's going to make a huge difference in the grand scheme of things.

Implementing a commenting system that's restricted to registered users only can be a major turnoff for the majority of your audience. Let's face it, you're essentially kissing goodbye to around 90-95% of potential engagement on your article site. And don't even get me started on the default password assigned to users - it's a joke.
Who's going to bother jotting it down and entering it every time? Only a handful of meticulous folks, that's who. What you really need is a robust registration system that allows users to create their own passwords, with the option to generate a strong, random password for those who want it. This way, you can strike a balance between security and user experience.

More complex and lengthy a password is, the more substantial the barrier to entry for would-be hackers. You don't need to get bogged down in the nitty-gritty of numerical analysis; a decent password provides a sufficient bulwark against brute-force attacks.

In reality, most password breaches occur as a result of data dumps or social engineering tactics, rather than sophisticated cryptanalysis. It's essential to recognize that hackers typically conduct a cost-benefit analysis before launching an attack, weighing the potential payoff against the resources required to crаck the password. Only when the expected ROI is favorable do they greenlight the operation.