| I understand that complex passwords have merit because they prevent some scenarios, my problem with the focus that is put on it. Having a complex password does help protect you from brute forcing, but it doesn't protect you from the problems that most people suffer: phishing and social engineering and in a scenario like a system you use is breached you can safely suggest your password is stolen, in which case no matter how complex it is you're not safe. How many stolen accounts are from brute forcing? In my own experience with user support all stolen passwords have been a case of phishing or social engineering (eg: "I am important you need to give me your password"). My "issue" (if you can call it that) is if you say to a user signing up to your website "Your password is 50% secure!" they'll mistakenly assume that means they're safe and can throw out all other security practices. It doesn't matter how complex their password is a password is never secure when humans are involved, a password can be considered secure enough if it's unique to a website but once a password is being used on multiple websites it doesn't matter how complex it is, all it takes is for one site to be breached and it's a worthless password. Instead of telling users that if their password meets some arbitrary requirements that it's suddenly more secure than another password that has 1 less character we should tell them that they need to assume their password can be stolen and if it is using unique passwords per website will protect them. Passwords aren't either "secure" or "insecure" based on the password itself, they're secure until someone else knows it. If your password becomes insecure (either through phishing or brute forcing) you need to be ready to limit the damage, if every website you use has the same password (no matter how complex it is) and your password becomes insecure you have a huge problem, if you use a unique password per-website you're safe from most damage. If you have an account on 100 websites it's better to have an "easy" password (eg: "2809911234" (my birth date followed by 1234)) different on each website than it is to have 1 password on every website that is super complex (eg: "£(U&(FDJHDIFHJDJHF&DF&^SDF&^S^&*"). Password security should work under the assumption that someone DOES know your password or WILL know your password and you should be limiting the problem. People sign up to websites all the time that they have no idea how secure they are, I administrate a website with 1.3 million users, I could be a scary russian hacker that is just stealing their details to hack their Paypal accounts and empty their banks, but if they had unique passwords everywhere that would not be an issue. It doesn't matter how complex a password is, the moment you input it into a form on a website it becomes insecure. To tl:dr; my waffle and address your main point: > just because password complexity doesn't mitigate some of your carefully constructed scenarios, doesn't mean that it's useless. You're correct, password complexity isn't useless but it isn't important enough to warrant being the only thing users are told. Password complexity is a small part of having good online security; making it the focus of security by using it in forms is misleading to users. Anecdotally I know someone (supposedly smart) who berated me for having a password that was only 10 characters long because a website said a 10 character password can be hacked in 3 days, he didn't understand that the 3 days is how long it would take a computer to compute my password, not that someone could "target" me and have my password on their computer in 3 days. Even smart people don't have a clue about security and password complexity on forms just misleads them further. Passwords are secure until someone else knows it, they're not secure based on how complex they are. A password that is 16 characters is only more "secure" than a 10 character password if you live in a vacuum where the only issue is brute forcing (or similar computational attacks). |