Dumb Password Rules
About
- Why does this exist?
I get very annoyed when I encounter a dumb password rule in the wild. One day, I had enough and wanted to let everybody know how dumb these rules are.
- Who made this?
Originally created by me. Made what it is today by all the wonderful contributors. ❤️
- What's this about a bot?
There's also a bot that periodically toots random rules on Mastodon!
- What makes a dumb password?
You probably know it when you see it. "Maximum 17 characters, must start with a 7, no ~ allowed." If you aren't sure, open a new issue or PR to discuss. This isn't a scientific study. There aren't any hard and fast rules though, so let's talk about it.
- What makes a good password policy?
The current NIST guidelines for passwords state:
- Longer passwords (>=8 characters)
but recommend even longer ones (passphrases with +64 characters) - Don't require password complexity
like caps, special chars, etc., instead disallow bad or blacklisted passwords like "password" or "123456" by making use of- libs: e.g.
zxcvbn("a password strength estimator inspired by password crackers") - APIs: e.g. haveibeenpwned API
- libs: e.g.
- Avoid mandatory password changes
except in cases of suspected compromise. - Allow copy-paste
to facilitate the use of password managers. - Use two-factor authentication (2FA)
or multi-factor authentication (MFA), especially for high-value accounts.
- Longer passwords (>=8 characters)
- I found a password rule that I think is dumb. Can I add it to this list?
New contributions are always welcome! Please add your entry on GitHub. If you're not a developer and don't know what GitHub is or how to work with it, why don't you drop me a line and I'll lend a hand!
- My company is on this list. How can I have us removed?
If you've fixed your dumb password rule, awesome! I'll happily remove entries that have been corrected. Please open a pull request to have your entry removed on GitHub.