Password Chaos

Creating a memorable password runs against most of the rules implemented for creating a strong password.  Much fine work has been done parodying this interesting fact.  That being said, the folks who implement the rules and subsequently announce those rules to the users have lost their minds.  Take a look at this description of the required rules I happened upon recently.

Required Overlap
Required Overlap

Let’s pair some of these.


Between 8 and 64 characters

Increase the length from 12-20 characters


Use both uppercase and lowercase letters.

A lowercase or uppercase letter


Not repeat any character more than 3 times in a row.

Not be a sequence of 4 characters in a row.

In each of the above pairs, the first line is all that is required to articulate the apparent rule.  The second line can be dropped as superfluous (and confusing).

In the length pair, the “increase” line is essentially unparsable.  This is to say I can formulate no meaning for that line which aligns that line with the other lines in a logically consistent fashion.  If the minimum is 8 then there would never be a reason to increase by 12.  If you are 20 away from 64 (the maximum) there is no reason to increase the length.

In the case pair, the and and the or cannot be conjoined.  If you must use both (and) then you cannot use one or the other (or).

In the repetition pair, if you cannot have three in a row you necessarily can’t have four in a row.  Further, if the minimum is 8 it must be longer than 4 regardless.

Then there is the order of the list.  Makes me wonder if that order could have been arrayed in a way that would be more confusing.  Could it?

Never mind that five lines are sentences (ending in periods) and the other three lines are not (unpunctuated).

It’s like they took a poll of the IT staff and just listed out selections from their various responses.

Just… think it through a bit.  UI/UX isn’t something that requires a specialized developer.  Think.

2024 Update

I came across this lovely gem of password instructions and wanted to share it as well.

Password Policy
Password Policy

Why limit a password to 18 characters?  That’s just plain silly.  It’s not even a power of two.  “Hey, let’s arbitrarily limit passwords!”.  Idiots.

Why restrict spaces?  Again, arbitrary and silly.

Both of these rules limit passwords making them less secure rather than more.  Stop it.  Just don’t.  Fix your shit.


Leave a Reply

Your email address will not be published. Required fields are marked *