Jeff Atwood makes the obvious point that the worst, of many bad things, about passwords is password rules:
Password rules are bullshit
- They don’t work.
- They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn’t have a number or symbol in it. I just double checked my math textbook, and yep, it’s possible. I’m pretty sure.
- They frustrate average users, who then become uncooperative and use “creative” workarounds that make their passwords less secure.
- They are often wrong, in the sense that the rules chosen are grossly incomplete and/or insane, per the many shaming links I’ve shared above.
- Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won’t take my word for it, read this 2016 NIST password rules recommendation. It’s right there, “no composition rules”. However, I do see one error, it should have said “no bullshit composition rules”.
I would add that possibly the worst password rule is the one that demands you change your password on a regular basis. Either people will start writing down their passwords, or come up with a pattern that ensures their passwords are always easy to guess.
Password rules aren’t just bullshit, they are actively counter-productive.