Blog‎ > ‎

Choosing a password should be easy

posted Jan 1, 2014, 1:18 PM by David Plass   [ updated Jan 1, 2014, 1:18 PM ]
A website I just registered for had a huge litany of "rules" about picking the password:

"Password must contain at least 3 alphanumeric (letter or number) characters. Password must contain at least 4 characters of different types (lowercase, uppercase, digit or punctuation). Password must contain at least one digit. Password must not match last 8 passwords. Password must be at least 8 characters in length. Password must contain at least 2 letters. Password must contain at least one lowercase character. Password must contain at least one punctuation (not whitespace or an alphanumeric) character. Password must contain at least one uppercase character. Password must not contain the username."

tl;dr.

Instead, why not implement two-factor auth?  This usually involves something you know (your password) and something you have (the two-factor authentication device, which generates a pseudo-random number in sync with a server.)   If your password is compromised, the bad guys still can't log in without your device.  It's much more difficult (nigh impossible) to "guess" what the next number in the sequence will be, so either way you're covered.