DEV Community


Discussion on: Do password rules impact security?

elmuerte profile image
Michiel Hendriks

People a lot smarter than me already have concluded that password length is all that matters, any other rules will only reduce the effect because people will use more predictable passwords. This combined with special slow hashing algorithms designed for password storage (e.g. bcrypt) is how to handle passwords.
This is just for passive password security, for when the credentials storage is leaked.
For the active service you obviously want to add MFA, temporary account locks, additional verification like recaptcha.

There also this nice XKCD:
XKCD: password strength