Consumers rank “Creating a password that has to meet certain requirements” (e.g. number of digits, symbols) among their top frustrations with the sign-up process (47%).
Consumers are absolutely right to hate password requirements and developers hate them as well because they are bad practice and actually reduce the security of the password by giving the attacker insight into the form of the passwords.
Requirements like digits and symbols are especially bad because they force people into using hard to remember leet speak like passwords and effectively disallow use of the much better and more memorable passphrase form of passwords (obligatory xkcd).
The only requirement for a password should be a minimum length of 8 or more characters. Any other requirements should be treated as security vulnerabilities and removed from the system.
Consumers are absolutely right to hate password requirements and developers hate them as well because they are bad practice and actually reduce the security of the password by giving the attacker insight into the form of the passwords.
Requirements like digits and symbols are especially bad because they force people into using hard to remember leet speak like passwords and effectively disallow use of the much better and more memorable passphrase form of passwords (obligatory xkcd).
The only requirement for a password should be a minimum length of 8 or more characters. Any other requirements should be treated as security vulnerabilities and removed from the system.
Thanks for share your thoughts, Jay!