Will strict complex password increase your application or site security?

Photo by Lysander Yuen on Unsplash

If you think that strict/complex password requirement would increase security for you application or site, then you would be wrong.

Strict/ complex password policies would actually lower the security. Here is the short list of some bad ideas and some recommendations from the NIST.

• Do not restrict password length to less than 64 chars. NIST recommends 256 as a good maximum length.
• Do not truncate the user’s chosen password.
• Do not restrict special chars such as []();: etc. or /. If the special chars in the password will make issues in your system, you better fix that issue rather than restricting chars. The NIST says to accept all printing ASCII chars, space and Unicode.
• Do not provide password hints to unauthenticated users.
• Do not disable paste function in the browser. It will disable your password managers functionality (if you have) and does not make your system more secure. Also this can make users to crate simpler easy to remember passwords as they can not paste from their password manager.
• Do not impose composition rules. e.g do not mandate any particular mix of upper and lower case, numerics or special chars or prohibit repeating chars and so on.
• Do not arbitrarily require users to change their passwords after some time. Only do this for valid reasons e.g if there has been breach.

You want to encourage long random passwords. If you put artificial constraints or limits, it will encourage bad password habits leaving your user’s account vulnerable to takeover.

Reference: The Pragmatic Programmer David Thomas/ Andrew Hunt.