Site password requirements

[Bottletopman]

Is there any way that the password requirements can be more relaxed/outright removed? While it's unlikely that this site is holding data crucial to national security, NIST password guidelines discourage password complexity and periodic password change requirements since users often get around such things by making easy to guess passwords.

I remember at my last job as a contractor, user password policy was something like at least 1 capital letter, number and/or special character and while migrating people over from Win 7 to 10 I had to get their passwords to copy over their stuff - I lost count of how many people had ridiculously easy to guess passwords that one could obtain just by getting friendly with them and asking them questions about things like their kids and how old they were. It also wasn't uncommon for people to simply change the password by one number when passwords reached their ridiculously short 2 month expiration time.

But who cares about what went on at my last job, it's simply quite bothersome. While making this post I just realised that with some sites that enforce incredibly complex password requirements (I remember one particular banking site enforcing 8 characters on passwords, no more, no less) cracking such passwords would be easier given that the attacker would know that passwords would be of specific length and characters.

I guess I'm just ranting since bouncing around different worksites I have had to come up with all sorts of passwords given the silly complexity requirements. At least on this site, I can have a say about it and not get ignored by upper management or something.

[MyTaHTMacTep]

I'd suggest using a password manager like keepass. Even if you need one-offs, you can generate one and let your browser remember it. A lot of websites have these requirements to deflect any blame for dumb passwords.

[Death_Reaper56]

I'd suggest using a password manager like keepass. Even if you need one-offs, you can generate one and let your browser remember it. A lot of websites have these requirements to deflect any blame for dumb passwords.

This topic was from two years ago.Please look at when something was posted before replying.

[Bottletopman]

I'd suggest using a password manager like keepass. Even if you need one-offs, you can generate one and let your browser remember it. A lot of websites have these requirements to deflect any blame for dumb passwords.

I'd rather not use password managers, previous experience with LastPass and security breaches has kind of been a turn off. Just removing silly complexity and expiry requirements is better as that increases security much more than many people think.

[jlf65]

I make my passwords from fragments that are easy to remember, then piece them together. Example: I write down my password for a site like superhero_pi, and in my head I know which superhero I mean, and how many digits of pi I use. It gets more complicated than that - that's a simple example of what I mean. So I can write down my passwords while still having them be secret.

[Bottletopman]

Yeah only problem is sometimes you come across the site that absolutely requires you to have a number or special character in your password (hey look two things to narrow down password cracking! Bonus points if the password must be a fixed number of characters) and said password is easy to remember but hard for computers to guess because it's long.

[jlf65]

Yeah, I've got accounts on a few sites that mandate a maximum password length of 8 characters. That should be a piece of cake to brute force these days. I think that should be a minimum, with no maximum.

Funny story I like to tell when threads come up on passwords... some three or four years back, I was at Lowes getting some plywood with my dad that needed to be cut to a certain length. The cutter had a keypad that needed a code to turn on. It only had four 7-segment displays, so I told my dad "bet you the code is either 1234, or 4321." The guy punches in 4321 and it doesn't do anything, so he punches it in again and it still doesn't come on. He calls someone, then punches in 1234 and it fires right up.