Stop Forcing Complex Passwords on the Web

Many websites today require complex passwords with these rules:

• A capital letter
• A special character
• At least one number
• A minimum of six to eight characters

How Do Users Respond?

Most people follow these rules in predictable ways:

• Capital letter? The first letter: "Password"
• Special character? Usually "!" or "@", at the end: "Password!"
• One number? Often "1", also at the end: "Password1"
• Minimum length? They just keep adding numbers: "Password123"

Are These Passwords Secure?

Let's check how often these appear in data breaches:

• Password!123 – 1,831 times
• Password! – 7,694 times
• password! – 115,257 times
• Password123 – 130,684 times
• password123 – 343,763 times
• password1 – 3,383,590 times
• password – 11,394,719 times

Clearly, many people treat password creation as just another required step, and the rules don't stop weak passwords

The Purpose of Complex Passwords

The goal of complex passwords is to prevent attackers from guessing them in a reasonable amount of time. A few decades ago, when passwords were mainly used for encrypted documents or local systems, this made sense. Websites didn't enforce strict password policies, two-factor authentication (2FA) wasn't common, and brute-force attacks were somewhat feasible

But in today's web-based world, strict password rules feel outdated. They're a relic from a time when a lot of systems didn't have much money, they were not online, and multi-factor authentication didn't exist

Now, even logging into a personal computer may require a second factor – so why force users to create complex passwords for websites?

What Can Websites Do Instead?

1. Introduce login delays – Even a 200–500ms delay can slow down brute-force attempts without bothering users
2. Limit login attempts – Restrict retries per account or IP (without locking out legitimate users too quickly)
3. Use two-factor authentication (2FA) – If 2FA is properly implemented, password complexity becomes much less important
4. Use CAPTCHA – Automated bots can be stopped with CAPTCHA, but choose a solution that doesn't require users to select fire hydrants or traffic lights

A deeper look into these alternatives will be covered in another publication note, but let's focus on passwords for now

Instead of forcing complex passwords, consider:

1. Assessing if it's really a problem
2. Informing users about weak passwords

If a user's account security doesn't actually depend on password complexity, stop making it harder for them. The only reasonable requirement for web passwords is a minimum length

---

P.S. If a website restricts password length (e.g., 24 or 32 characters), it's a red flag. Proper password handling (like PBKDF2) ensures that length shouldn't impact performance. Some sites even limit passwords to 49 characters – completely strange 🤪

"Your password must contain at least 8 letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending."

---

Further Reading:

• Password policies of major websites
• Most Common Passwords (NordPass)
• Pwned Passwords Check
• What are passkeys?
• Proper password storage (OWASP)
• Brute Force Attacks (OWASP)
• Credential Stuffing Attacks
• A verification tool to replace CAPTCHAs