Password policies

Guaranteed to annoy someone, and if you’re really lucky then you get to annoy everyone. If users can’t remember their passwords then you’re annoying two sets of people – the users who can’t use their stuff and the IT dude who has to reset their passwords every day. The reason that there are so many automated reset tools is that you can’t remember them and we have better things to do.

Passwords are not one-size-fits-all and forcing people to obey complex requirements can often result in decreased security. A password policy of 8-12 characters that forces numbers and symbols means that people are often stuck making passwords they don’t want or can’t remember. If somebody can’t remember their password, or harbours a deep loathing towards the whole process, they are more likely to write them down, use them again and even share them.

  • A short, complex password is good because its strength lies in its complexity
  • A longer password is good because its strength lies in its size

Balance

For a balance of usability and security I’m completely relaxing the requirements under certain circumstances and being really nasty about them in others. The requirements here should be are flexible enough for people to choose the password requirements that they find it easiest to remember.

  1. Passwords must be a minimum 8 characters.
  2. The requirements change depending on how long the password is.

8-12 character passwords have a minimum requirement of upper, lower, numbers & symbols
12-15 character passwords have a minimum requirement of upper, lower & numbers
16-19 character passwords have a minimum requirement of upper & lower
20+ character passwords have a minimum requirement of lower

So users can choose a password that suits your memory, while still having it be reasonably secure. I’m not suggesting that any of this is unhackable, but instead it’s an attempt to promote really long passwords that people can find it easy to remember. The only rules are:

If you want a short password you need to make it complex
If you want a simple password you need to make it long

(or if a 48 digit password that’s all random hex is your thing, that’s fine too)

Remembering long passwords

String together random words:
flying pizza death eagle = 21
weirdo pineapples pigeon = 22

Pick something that means something to you and can change often:

i like wearing my adidas = 20
this week im all about the nikes tho = 29
darklink keeps giving me stupid password rules = 40
i wish he would just go away = 22

Avoid famous phrases or quotations.
Family jokes or catchphrases are good because few people know them and you will never forget them.
Avoid lyrics, Bible verses or things that can be easily Googled.
Avoid all the stupid passwords like summer123, password, P@ssw0rd!, iloveyou, names of your pets/children, etc.

Find passwords that are written down, in plain sight, and are not obviously passwords. Use the things that are on your desk.
Don’t have a post-it that says “my password =” but do use the book on your desk and make your password the first line from page 45.
Do have a password of ‘my desk lamp has a squeaky leg’