ByteZest

Length requirements, character requirements, uppercase, lowercase, yadda yadda.

This is not just security theatre. It’s a waste of time, the math makes no sense and it leads people to create worse passwords, not better ones.

I don’t know that it makes for worse passwords at the individual password level, but without requirements, there are probably far too many “1234” and “password” passwords out there. The problem is that people will pick a password that tends to meet these kinds of requirements and use it over and over. That’s a problem.

Use a password manager that helps you pick unique and complex passwords and makes it easy to autofill them. Or use a social login with a very strong unique password and 2-factor auth. Better, use passkeys whenever they are available.

Blah blah though — you all know that.

What all this triggered in me though is: why? If silly password requirements are a bad idea, why have they persisted so long? Is it just dumb bosses as Seth implies?

I blame enterprise. (like: “big companies”)

Selling software to enterprise means money. And doing so means hoop jumping. They need you to sign this, sign that. They need an SLA. They need you to be SOC 2 certified. They need the phone number of the on-call agent. They need a copy of your diversity policy. Then fifty more things, and you’ve landed the sale! I don’t even blame them. I want, for instance, my bank to have very strict policies.

In my experience, enterprise having requirements about your password requirements is a thing. All you gotta do is add a few extra requirements to your passwords for new users and you land that sale? Fine.

Big companies buying all sorts of different software from different third-party software makers can have a real influence on what everyone else ultimately experiences.

Related

ncG1vNJzZmibmKe2tK%2FOsqCeql6jsrV7kWlpbGdhZXxxhI6snK2gXZy8pbXNZqanZaCWwLTDzqubZqukqr2qsMitsGg%3D