- Minimum length of either 8 or 16 characters.
- A maximum length of 2,048 characters.
- Check if password is in breaches? (optional)
It's probably a good idea to make sure they're not putting in a common or breached password. I don't have any other rules, it's pretty simple. I think having the one or more numbers, symbols, capital letters, is a bit overrated. I don't really need it, do I? Got any examples/scenarios on why an application would need or should have something like that? Please, share.
And I encourage people who are writing password this.
And as for storing passwords, I'm not just gonna leave it as plain-text, unless of course my intent is to steal credentials. So I'd use a strong hashing algorithm like Bcrypt or some variation of Argon2. Hashing the passwords is good enough, or so some of us believe. While I don't doubt that hashing the password is good, I believe that it could be taken further to protecting the passwords.
Yes, encrypt the hash, with something strong. Preferably AES-256 or AES-128. And perhaps a more complex approach signing keys with RSA and encrypting with AES based on that. Not gonna get too far into it(I don't wanna start talking about stuff I don't understand).
Doing it this way gives hackers/crackers whatever you wish to call them, another step. To decrypt the hash, then finally deal with the hash.
Make sure the password is within (8 or 16)-2,048 characters threshold, optionally check if it's common or breached. Hash the password, then encrypt the hashed password, and finally store it somewhere.
Check these out, while you're reading about passwords.