Stupid Password Requirements

The most stupid password requirement I met this year.
I’m sorry I can’t recall the site it came from.

Minimum 8 characters
Maximum 32 characters
At least 1 Lowercase letter (a-z)
At least 1 Uppercase letter (A-Z)
At least 1 Number (0-9)

Now then what should a password be made off?

If you search the internet for that, you come across many different statements. But as far as I know, there is only oen good rule. Make you password as long as possible, then it’s harder to do a brute force attack on it.

There are people saying things like

Make up a sentence you can easily remember, take the first letter of every word in the sentence, and include apunctuation or turn numbers into digits for variety. Then ‘I have two kids: Jack and Jill.’  would become Ih2k:JaJ

Queen Sylvanas, would turn in here grave if she wasn’t undead already. You’re better off using the sentence then the ‘shortened’ version. If it comes to attacking your account (not by social engineering that’s a whole other story)  which one would be the first to be found? the shortest one of course.

There for as a programmer or architect you should seriously reconsider if you have limits like your password can only be 32 characters long. At least 256! People should be able to wirte a book as password. A book they remember, they know by hearth.

As a user of a website or service you should complain if you get stupid password requirements! Ask for the possibility of something long with any character you like. Not with obligatory weird character and punctuation marks, they are just fooling you that you are more secure with a password of 8 chars and a number…

%d bloggers like this: