Programmer community Stack Overflow's Jeff Atwood has laid out a few home truths about horrible password policies that annoy experts, confuse users, and make everyone less secure.
The internet is filled with examples, often perpetrated by major brands, of sites failing their users with bad password policies and poor practices, such as emailing users passwords in the clear.
Atwood decries the state of password policies in a new post entitled 'Password rules are bull****', pointing to three password-shaming sites that demonstrate the extent of the problem.
He highlights that some commonly used password rules end up preventing people from using random password generators and instead encourage them to pick short and easy-to-crack passwords.
"These days, given the state of cloud computing and GPU password hash cracking, any password of eight characters or fewer is perilously close to no password at all," he writes.
That figure of eight characters was the number Atwood set two years ago when he was building the password feature in his new site, Discourse. He's since updated that figure to a 10-character minimum for users and 15 characters for site admins and moderators.
However, as he points out, rules requiring long passwords don't necessarily encourage users to create unique passwords. Sometimes users will then pick bad passwords to get around the requirements.
And rules that attempt to enforce higher entropy in passwords, such as one containing at least one uppercase, lowercase, a number, and a special character don't serve the user well, particularly if these rules prevent people from using a random password generator.
Still, his research into leaked passwords found that password length is an important factor. For example, only five of the top 25 passwords are 10 characters in length. This rule should then reduce a site's exposure to the most common passwords.
His advises developers to avoid password composition rules, pointing to a recent recommendation from NIST on this issue.
"It's right there, 'No composition rules'. However, I do see one error, it should have said, "No bull**** composition rules"," writes Atwood.
Developers should however enforce a minimum Unicode password length, but he warns: "Accept that even this one rule isn't inviolate. A minimum password length of six on a Chinese site might be perfectly reasonable. A 20-character password can be ridiculously insecure."
Another rule of his is to check and prevent users from picking common passwords exposed in data breaches.
"There's no question that a hacker will submit these common passwords in a hack attempt, and it's shocking how far you can get, even with aggressive password attempt rate limiting," he writes.
One rule he admits getting wrong on Discourse was enforcing a 10-character rule but allowing users to pick a password such as 'aaaaaaaaaa'.
Finally, developers should prevent certain special-case passwords, such as ones that are the username or email address of the user, or ones that use the name of the site or app.
"In short, try to think outside the password input box, like a user would," he notes.