B
6

A user feedback made me rethink my password policy...

A client in Austin told me my 8 character minimum was 'like leaving the front door unlocked'. I bumped it to 12 characters with a mix of symbols and numbers. Now I'm wondering if I should push for 14 across the board... has anyone else seen pushback on longer passwords?
3 comments

Log in to join the discussion

Log In
3 Comments
joel_hall17
I read something from a guy at a security conference who said that forcing people to use 12+ characters just makes them write it down or use the same one everywhere. He was all about passphrases made of random words like "correct horse battery staple" instead.
3
parker183
parker18319d ago
Heard a talk from some security guy once who said the real issue isn't length it's that people just reuse the same 12 character password everywhere. So even if you bump it to 14 characters that doesn't help if they use that same password on some random forum that gets hacked. I get why you want to push for longer but maybe focus more on making them use a password manager so they don't have to remember all these complex strings. Also saw a study that said longer passwords with common words people can actually remember are often harder to crack than short ones full of symbols.
2
rubyshah
rubyshah19d ago
Well @parker183 is basically calling out the elephant in the room, and yeah, it's kind of funny how we keep telling people to make longer passwords but then they just use the same one for everything. I mean, what's the point of a 14 character password if it's also your login for a knitting forum that got breached in 2019? The part about password managers is spot on too, but then you run into the problem of people writing their master password on a sticky note under their keyboard. And that study about common words being harder to crack is true up to a point, but only if you pick four random words that don't make a sentence, otherwise a hacker's dictionary attack will get you eventually. So really we're all just stuck in this weird cycle where nothing seems to work perfectly, but using the same password everywhere is definitely the biggest mistake most folks make.
3