There are many techniques to enforce strong passwords on website:
- Requesting that passwords pass a regex of varying complexity
- Setting the password autonomously, so that casual users have a strong password
- Letting passwords expire
- etc.
On the other hands there are drawbacks, because all of them make life less easy for the user, meaning less registrations.
So, what techniques do you use? Which provide the best protection vs. inconvenience ratio?
To clear things up, I am not referring to banking sites or sites that store credit cards. Think more in terms of popular (or not-so-popular) sites that still require registration.
I don’t think it’s possible to enforce strong passwords, but there are lots of things you can do to encourage them as much as possible.
One excellent trick I like to use is to have the password’s expiry date tied to the password score. So stronger passwords don’t need to be changed so often. This works particularly well if you can give users direct feedback about how long the password they’ve chosen will live for (and dynamically update it so they can see how adding characters affects the date).