Complex password requirements lead to post-its on monitors in cubicles with passwords written on them. That's a much worse result than a weak password for pretty much any system that relies on passwords to stop bad things from happening.<p>For regular websites, generating monitor post-its is inexcusable. Let your users choose the letter "a" as their password if they want, but warn them about the implications. The only acceptable password workflow for a website is this:<p><pre><code> - Choose a password
- complexity check
- if failed, "Seriously? That seems like a bad password" popup.
- "Yes, seriously. I don't really care if this account gets hacked
enough to memorize a complex password."
- done.
</code></pre>
I'd go as far as having <i>banks</i> do it this way. Anything to avoid having access to a $20k wire transfer be as simple as sitting down at somebody's desk when they're gone for the day and reading a post-it saying "BofA - wAffles$2".
This guy has no idea what a dictionary attack is, or entropy in various forms of password or pass phrase. Probably not a great source of security policy advice.<p>A pass phrase with 4 words chosen from a large alphabet, assuming the words are randomly selected, gets a lot of entropy really fast compared to similarly memorable numeric PIN (6-8 digits, tops). "leetspeak" passwords derived using common rules from rules aren't a lot better than just words themselves, and are hard to remember (I've had to brute force a bunch of variations on my own or for other people when keyboard layouts changed, or when exact punctuation was not remembered).<p>20000 words in vocabulary, take 4, is 1.6e17 combinations. Dictionary attack that?
44 bits of entropy from XKCD comic is assuming dictionary attacks. So even without number substitutions dictionary attack would take VERY long.
Edit: JoeAltmaier beat me by 1 minute with this.
Dictionary attacks were How xkcd came up with the entropy for CorrectHorseBatteryStaple, I think. Also adding digits in a couple of places for vowels adds just a bit or so to entropy, a fairly weak (entirely predictable) way of improving passwords.
Displaying password rules inform a hacker what rules to obey and follow, reducing the number of combinations they have to try. Rather than have rules, after a user creates/enters their password just let them know if it sucks or not, perhaps give some "stats" as to how long it would probably take to crack. Scare them into something stronger, but don't force them into "post-it noting their password".