The US government’s latest recommendations acknowledge that password composition and reset rules are not just annoying, but counterproductive. The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance. These mistakes are worth studying, in part, because the people making them were so damn brilliant and the consequences were so long lasting.

Comments

  • @graycubeEnglish
    61 month ago

    Interesting little history piece, but I did not see any evidence that password complexity rules don’t help which i think was supposed to be the point of the article.

    • @[email protected]English
      11 month ago

      The article leads with the US Government changing their recommendations on password policies, so the assumption is that they’ve done the homework. Still, yeah, I’d have been interested to see the details.

  • @EheranEnglish
    31 month ago

    They got it wrong because they never understood how these passwords existed to begin with.

  • @[email protected]English
    11 month ago

    So, how long until these US Government recommendations actually get implemented by the US Government?

    The password requirements thst I constantly have to work around at work, for our Oracle server, are as follows:

    • Must change every 3 months
    • Cannot have X number of characters the same, compared to the previous password
    • Max length of 30 characters (god, but this always infuriates me)
    • At least 2 lowercase letters
    • At least 2 uppercase letters
    • At least 2 numbers
    • At least 2 symbol characters (but with a whole bunch of them, like @, considered invalid)
    • Cannot have the same character twice in a row (what possible purpose does this serve?!)

    There’s probably others I can’t even remember, or haven’t encountered.