The US government’s latest recommendations acknowledge that password composition and reset rules are not just annoying, but counterproductive. The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance. These mistakes are worth studying, in part, because the people making them were so damn brilliant and the consequences were so long lasting.

Comments

  • @JakenVeina@lemm.eeEnglish
    13 months ago

    So, how long until these US Government recommendations actually get implemented by the US Government?

    The password requirements thst I constantly have to work around at work, for our Oracle server, are as follows:

    • Must change every 3 months
    • Cannot have X number of characters the same, compared to the previous password
    • Max length of 30 characters (god, but this always infuriates me)
    • At least 2 lowercase letters
    • At least 2 uppercase letters
    • At least 2 numbers
    • At least 2 symbol characters (but with a whole bunch of them, like @, considered invalid)
    • Cannot have the same character twice in a row (what possible purpose does this serve?!)

    There’s probably others I can’t even remember, or haven’t encountered.