Skip to content

Dumb Password Rules – Schneier on Security

We’ve all encountered them: dumb password rules. Those frustrating artificial complexity requirements that add unnecessary layers of difficulty to creating passwords. We often find ourselves locked out of accounts unable to guess the right combination of capital letters, numbers and symbols. In this article, we’ll look at some of the common examples of these dumb password rules and how they can be avoided.

Bruce Schneier, computer security expert and author of the book Applied Cryptography, has identified numerous examples of dumb password rules. These include rules that require passwords to contain a mix of upper and lowercase letters, numbers and symbols. Other rules dictate that passwords must contain at least one character from each of four different character sets. These rules can be impossible for a user to remember and can lead to frustration when trying to access accounts.

The problem with these rules is that they are often ineffective in helping to secure an account. Studies have shown that passwords with rules like upper and lowercase letters and numbers are only marginally more secure than a password with just letters. Furthermore, the additional complexity makes it more difficult for users to remember their passwords, resulting in an increase in users writing down their passwords and leaving them vulnerable.

The best way to protect accounts is to use strong passwords that are easy to remember. Schneier recommends using longer passphrases of at least 12 characters, rather than short passwords. He also suggests using words that are easy to remember but not found in the dictionary. This will make it much more difficult for hackers to guess the password.

In conclusion, while there are some dumb password rules that can be frustrating to deal with, the best way to protect accounts is to use strong passwords that are easy to remember. Longer passphrases of at least 12 characters, using words that are easy to remember but not found in the dictionary, are a much better option.

Key Points:

• Artificial complexity requirements can lead to users being locked out of accounts.

• Rules requiring passwords to contain a mix of upper and lowercase letters, numbers, and symbols are only marginally more secure than passwords with just letters.

• Longer passphrases of at least 12 characters, using words that are easy to remember but not found in the dictionary, are a much better option.

• Strong passwords that are easy to remember are the best way to protect accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *