In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
Your password MUST contain big and small letters, and contain at least 1 number character and 1 spacial character, it MUST be 8 characters long, and it MUST be typed on a German Cherry keyboard between 8-9 PM, using ONLY 1 finger while blindfolded and listening to ABBA music. BUT NO SPACES ALLOWED!!!
This is because of something called entropy we never even read about so we have zero understanding of it. Of course combined with lousy programming, so safety is all on you.
Making all these possibilities OPTIONAL would actually make for safer passwords (higher entropy), as would using multiple words separated by spaces. The only meaningful way to accept a password would be to test it against common bad passwords, and test the entropy to determine acceptable levels. There is no good reason a password couldn’t be 10 words and at least 127 characters. There is no way that should stress a properly designed modern system.
genuinely, whats up with not being able to use spaces?
I think it’s originally because of bad programming. It’s so incredibly stupid I don’t have words.
You have described all of the guidelines that NIST, Microsoft, GCHQ and a few other institutions now recommend for password security.
And yet I still have to have this argument with so-called security engineers and my favourite, compliance officers.
Because they are morons that don’t understand entropy.
Requiring at least 1 number increases entropy less than simply allowing the use of numbers, and then recommending it.
But most password queries are lousy at describing what’s allowed when creating it, and they generally don’t describe it at all when you enter it for access.
The second part can be crucial for remembering exactly how the password was created, because what is now required, used to often not even be possible to use!
you forgot that you can only use a selection of special characters from a pre approved list of 10.
Had that yesterday.
“Must use special characters!”
“Okay, no problem. Here you go.”
“Not that one! It’s too special!”
“Dude, I haven’t even touched extended ASCII yet.”
A pre-approved list of 10 which THEY DON’T EVEN TELL YOU WHAT THEY ARE
I love when there are so many rules that my first few randomly-generated passwords are rejected.
Even worse, when you can’t figure out why, or how to configure the generator, then end up having to type your own anyway
I like the ones that just tell you your password strength.
Subtle shaming of bad passwords without giving bad actors hints as to what the minimum (and thus most likely) password is.