Elastic Cloud password complexity has an “OR” condition

Or, you could just do what NIST recommends and not impose arbitrary password requirements beyond being 8+ characters and and not appearing in a list of known passwords. <a href="https:&#x2F;&#x2F;pages.nist.gov&#x2F;800-63-3&#x2F;sp800-63b.html#:~:text=no%20other%20complexity%20requirements%20for%20memorized%20secrets%20should%20be%20imposed" rel="nofollow">https:&#x2F;&#x2F;pages.nist.gov&#x2F;800-63-3&#x2F;sp800-63b.html#:~:text=no%20...</a>.

The only requirement for passwords these days should be that the entropy is high enough and that the password is not in password leak databases. Anything other than that is simply asking users to reuse passwords across sites or annoying people who use password managers that generate too complex passwords.<p>Passphrases are perfectly reasonable choices for passwords, but often run foul of the number and special character rules. Worst part is some sites even have very short max length rules for passwords. One can only suspect they either go around thinking people still memorize passwords, or worse, they store passwords in a varchar(12) DB column.<p>The best bet would be to eliminate passwords alltogether using some combination of webauthn key authentication and some other user friendly factor (e.g. TOTP). But as long as passwords are here to stay, make them user friendly.

I hope this catches on. I hate making 30+ character passwords only to be told I need to add capitals and whatnot to be secure.

I finally got fed up with the special characters, digits and case bullshit and made myself this.<p><a href="https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;jp-hash&#x2F;" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;jp-hash&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.kylheku.com&#x2F;cgit&#x2F;jp-hash&#x2F;about&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.kylheku.com&#x2F;cgit&#x2F;jp-hash&#x2F;about&#x2F;</a>

Key risk with passwords is reuse across differently vulnerable websites&#x2F;apps. Password complexity enforcement does nothing to address this risk. For many users it may actually push them to reuse passwords.

Stopped caring when I started using Bitwarden to autogenerate and store long, complex passwords. That was the real game changer.

i like this, it’s very user-friendly; allows for both “battery correct horse staple”-style passwords and the randomly generated mess you’d get from a password manager

FYI, Github does the same thing too.<p>I really like this way to ensure password robustness, users with password generators are not blocked by some absurd rules.

My services have three password rules: 1. the password has to be a certain length (8 or more)<p>2. the password is not allowed to be in the list of the most common passwords<p>3. username, email or similar is not allowed to be in the password

Not sure about the specifics, but the concept looks reasonable.

This takes me to a dropbox page where I have to sign in.

The terms are not well defined enough in the dialog to know whether this is reasonable or not.

I hope this catches on, to allow more xkcd-style &quot;correct battery horse staple&quot; passwords

So ... 123456789012345 or passwordpassword

What does without complexity even mean?

Webauthn can replace passwords if people finally accept that passwords can&#x27;t be made into a good solution.

length(&quot;passwordpassword&quot;) &gt; 15chars