Originally Posted by bacterozoid
A good list. I disagree with two points:
1. Using a framework. This is less of a guideline and more of a recommendation. I think frameworks are bloated and unnecessary and I certainly never plan on using one - but I can still organize my code and implement strong security techniques.
2. Password length. Most users would have trouble remembering a password 12-14 characters long. Yes, it is good to have long passwords, but 8 characters minimum is a little more reasonable.
1. I acknowledge that using a framework is my recommendation. Still, the fact remains that most professional programmers use some kind of framework to work on their projects. So there must be some merit to them. Rather than expound on the advantages of programming frameworks here myself, I'll provide you with a few links that I quickly found:
...and in general:
Rapid Application Development framework
I would Google these keywords and research what all of the fuss is about. In terms of code organization and security, the level of code abstraction in frameworks facilitates more organized and concise code, and effectively automates secure coding techniques (a high degree of security is already assured just by implementing and building on top of the framework's core code).
2. The strength of a password will vary depending on the application and the security required. For example, sites that protect access to sensitive data (i.e., bank/merchant account info, credit card numbers, social security numbers, etc.) obviously warrant stronger passwords than a WordPress blog. In any event, hackers are becoming more and more adept at cracking "weak" passwords. A few links on password strength:
(All bias against Microsoft aside, they must be doing something right!)