Good Security Practices Any computer security system that employs usernames and passwords must be administered with careful attention to ensuring that good security practices are followed by all participants. WBPS is designed so that it should be virtually impossible for a "cracker" to guess or decipher username/password combinations such that he/she could invade a WBPS-secured site. If, however, your administrators or users are careless about how they choose usernames and passwords or store credentials, then a "cracker" may find it relatively easy to defeat your site's security. In particular, you should develop practices for the selection of usernames and passwords for your site that result in strong and unguessable username/password combinations, and you should encourage your users to observe good security practices with respect to the credentials you give them for your site. Developing Strong Usernames and Passwords WBPS requires usernames and passwords to be four characters or longer and can be made up of any combination of numerals, lowercase letters, and uppercase letters.  WBPS treats uppercase and lowercase letters as separate characters, so a password "TESTING" is not the same as "testing" or "Testing". In general, you should assign usernames and passwords that should be difficult for outsiders to guess.  If you observe the following principles, you can ensure that the usernames and passwords you choose run the lowest risk of being guessed or stolen by unauthorized visitors to your site:           Set a minimum length for usernames and passwords. As a rule, the longer you make your                usernames and passwords, the less likely it is that someone will be able to guess them by                attempting to login with randomly-generated combinations of characters. What is a "safe" length?                We recommend usernames and passwords of at least seven characters, each.           Choose usernames and passwords that use uppercase letters, numerals, and lowercase letters in                non-obvious arrangements. "d0GhOuSe", for example, is a stronger password than "Doghouse"                or "doghouse". In general, each username and each password should have at least one                uppercase letter not in the first position, at least one numeral, and at least one lowercase letter.           Pick usernames and passwords that your users will be able to remember without writing down. You                should consult with your users, if possible, and get their suggestions.           Select usernames and passwords that a user can type quickly. This minimizes the possibility that                someone could watch a user and learn his/her credentials while logging in.           Do not use usernames and passwords that can be found in common dictionaries of English or other                languages.           Don't use passwords with predictable sequences of alphabetic or numeric characters, like:                "abcdefg", "9876543", "aaabbbccc", etc.           Change passwords (and possibly usernames) on a regular schedule -- every six months or more                frequently.           Do not use personal information in choosing passwords. Users should not choose as passwords                a pet's name, their date of birth, or other easily-guessable information as their passwords.           Do not assign a single username to more than one person. WBPS has an an analytic tool, the "User/Password Analysis" screen, that can help you evaluate the composition and strength of the usernames and passwords that you select. Behaviorial Considerations The strongest password security scheme won't be secure if your users write their usernames and passwords on "sticky notes" and paste them next to their computers. Or if they "share" them with their friends. Developing a password security scheme for a Web site is often difficult because the site administrator may not have much contact with users, who may be widely dispersed geographically. Unlike a small, centrally-located company, where an administrator can easily visit his users' workplaces and look for unsecure practices, a typical Web application does not give administrators the ability to audit and monitor their users' behavior. To the extent that you can, try to get your users to practice good password security. More particularly, they should not:           Store usernames and passwords on paper or in an unencrypted computer file.           Disclose their usernames and passwords to any other persons.           Include their usernames and passwords in email messages, instant messaging, or other non-                secure communications.           Select passwords that they have used in the past or that they use for other sites or programs. Depending on the nature and purpose of your site, you might consider imposing usage restrictions that are reasonable for a single individual. A subscription site, for example, might permit its subscrbers to login to its secure content an average of twice a day. If your Web site log files show that a user is logging in dozens of times a week, this might indicate that he/she is "sharing" their login credentials, or that their username and password has been obtained by an unauthorized person. In such a situation, a site administrator would change the user's password and possibly his/her username. Restrictions such as these can be included in the site's Terms of Service or other contractual agreements between you and your customers.