I am very tired of seeing arbitrary password rules that are different for every web or mobile app. It's almost like these apps aren't following a standard and are just making up their own rules that aren't based on good security practices.
All too often I see password entry requirements like this:
Who came up with the idea that you need to have short passwords with only certain types of symbols that are impossible for the average human to remember?
XKCD made an excellent point about this here:
More Secure Passwords
Decades ago, it was recommended that people use more complex passwords containing numbers and symbols to make them more secure. That is no longer the recommendation of security professionals – even the ones who used to recommend more complex passwords now say that practice is outdated.
Security testing shows that the best ways to make passwords more secure is to simply make them longer and use a unique one for every app or website. They don't even have to be fancy or completely random. But you should be using a password manager to generate them anyway.
I recommend using 1Password (browser), Encryptr (desktop), or RoboForm (browser). Then you will just have one password to remember and have the password manager do the hard work of generating a unique one for every app or website you use.
- Here is a full list of best practices for creating passwords by security researcher Troy Hunt.
- If you want to dive deep into password strength estimation, I highly recommend this talk by Daniel Wheeler at Dropbox.
Remember, make longer passwords, educate yourself by reading Troy Hunt's article, and use a password manager.
I hope you enjoyed this brief article. Let me know your feedback or additional recommendations in the comments.
Here is how you can reach me: