Stop forcing your arbitrary password rules on me.

Published on October 22, 2015

I recently read a blog post on forcing more complex passwords. I'm all for more security, but I don't think these kinds of techniques are the best way and are more nuisance than helpful.

Problem

You want to enforce more secure passwords, I get it. However,

Stop forcing your crappy password rules on me :(

Don't take this post too harshly, I am just trying to make a point. I am not specifically addressing the author of that post, I am just inspired to write my thoughts because of it. I am speaking to everyone in general who uses these password rules on their sites and services. I am sick of these types of rules:

'password' => [
    'required',
    'confirmed',
    'min:8',
    'regex:/^(?=\S*[a-z])(?=\S*[A-Z])(?=\S*[\d])\S*$/',
];

Password must contain 1 uppercase letter, 1 lowercase letter, and 1 number.

With a rule like that, the password Abcd1234 would pass your validation, but mu-icac-of-jaz-doad would not.

I know you are probably wanting people to use random character passwords, like i%Mk3c4n but your rules aren't actually enforcing this, and even if they were, these passwords are a nuisance and not secure unless they are actually quite long -- which makes them even more of a nuisance. They are a pain to type out, especially on a phone or a computer that you don't have your password manager installed on.

Secondly, the people who would use insecure passwords will still use stupid ones like Loverboy1964, so you are not helping anybody.

Stop forcing your arbitrary rules on me and encouraging others to do so -- my password is better anyway.

Examples

Two passwords you'll allow:

Abcd1234

iiMk3c4nxvqgTGHB

Two passwords you won't allow:

mu-icac-of-jaz-doad

chili dog monkey nutso

Solution

I don't know, but if you really want to enforce something more secure than the passwords on this list, then don't try to force unnecessarily complex patterns. Your validation rules will still let people use most of those by just adding either a capital letter and/or a number or three.

Instead, why not just increase the minimum required length and not allow number sequences of 3 or more /[0-9]{3,}/?

You could go a small step beyond that and not allow the same character to be repeated more than twice in a row /(.)\1{2,}/ (adjacent), and still not be bothering people all that much.

That would eliminate most of those and would not unnecessarily restrict your users' password choices.

Update

Better yet, why not forget all of these rules and just use a minimum password entropy requirement.

dropbox zxcvbn

From sarciszewski on reddit:

I don't get why more people don't just use Zxcvbn.

We don't particularly care what your password contains, as long as this reasonable entropy estimator says it's good enough. Want to drop 2000 'A' characters followed by an ASCII penis? Well, zxcvbn won't fail you for not including a lowercase letter.

Related

PASSWORD STRENGTH (xkcd)

xkcd

Reddit comment