It seems like I’ve been shouting into the wind forever about password policies and it hasn’t made a bit of difference. There’s probably little anyone can do about users choosing really dumb passwords—like password or 123456 and so forth—but you’d think that Web sites would at least implement sensible password policies.
Alas, no. Dumb Password Rules is a crowd-sourced GitHub repository of, well, dumb password rules. It’s late 2019 and there really is no excuse for a site insisting on rules like passwords must be between 6 and 8 letters/numbers long with no special characters. Yet there are an astounding number of sites doing just that. These aren’t just Joe’s Online Fish Market, either. They’re banks, big retail organizations and even the government.
Scroll through as much of the site as you can stand. Even the Irreal minions refused to read the whole thing claiming it was just too painful.
I’ve said it many times before but it bears repeating: avoid sites that have any1 restrictions on what your password can look like. If they’re doing it right, those passwords are going to be salted and hashed with something like bcrypt or one of its brethren and it won’t matter what characters they contain or how long they are. If they insist on some arbitrary restrictions you can be sure that your passwords aren’t being hashed and that when the site is inevitably broken into, your password will be exposed.
Sometimes you can’t avoid those sites. After all, We have to deal with our banks (they’re among the worst offenders, ironically), wireless providers, and similar institutions but in those cases you should make an extra effort to use a password as complicated as their rules allow.
It’s pretty clear that passwords aren’t going away anytime soon so sites should take the situation seriously, start salting and hashing our passwords, and stop insisting on arbitrary and dumb rules on what they can be.
Footnotes:
Other than a large—1024 characters, say—maximum size.