Password Rules Blow. The Best Part? They Don't Even Work

The father of Stack Overflow, Jeff Atwood, recently posted a long (and pretty entertaining) tirade on everyone’s favorite whipping boy, complex password-creation rules.

His rant notes that current password rule schema, such as the requirement to include an infuriating variety of characters, don’t actually add much security. In fact, these rules are usually counterproductive and penalize people that DO use robust random password generators (like LastPass or my favorite, 1Password), because the rules often block them.

One of the biggest REAL issues is password length. Anything eight characters or less, you might as well not bother. “These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all,” Atwood said. He advises folks to use 10 characters, at the absolute minimum. That makes sense; only 5 of the top-25 most-used passwords are over 10 characters, so going into double-digits is one reasonable rule that should be enforced by developers.

Doesn’t make sense to you? I defer to Verodin’s favorite Thing Explainer, xkcd‘s Randall Monroe:

Verodin’s advice: it’s 2017, guys and gals – passwords are dying, anyway. You should be protecting anything you really care about with two-factor authentication. (No, this isn’t a sales pitch for Verodin’s 2FA, we don’t even sell that stuff. We sell security instrumentation for attack-testing defense stacks :-). Lots of the services you already use (like Gmail, or your bank) probably have a simple, workable 2FA capability built-in.

Just turn it on.

back to blog
No items found.
Business Need