Password Rules Are Bullshit


Only way I see it’s possible to sort this problem is when people decide to live right and we won’t need passwords.

Like Einstein said: Problem cannot be solved from this same level of consciousness it was created from.
I now understand what he was talking about.

We fight with reflection in a mirror and try to protect ourselves from our own shadows.


I got tipped of about your article having written something similarly myself, where instead of encouraging my users to use characters, I encourage them to use sentences. Since the vocabulary of the English language alone is roughly 150,000 words, before we start adding slang words, other languages (I am a Norwegian myself), and the fact that most people can create some simple phrases in a whole range of different languages, such as Spanish (Hasta la vista), Arabic (Allahu akbar), Yoda speak (The force in you, truly is strong my son),etc, etc, etc - I concluded with that increasing it even further, to 25 characters, while encouraging my users to use complete sentences would probably result in even larger entropy.

If you’d like to read my ramblings, feel free to check it out here

Now of course, the idea is that even a sentence with an astonishingly high amount of entropy, is still dead simple for the user to remember, without having to write it down. While at the same time, the statistical probability of that he’ll need to reuse passwords, becomes significantly reduced - At least passwords he has used previously, since these would historically for the most parts have been consisting of 8-10 character passwords.

In addition, creating a unique password for each service, would be easy since the user could use his own personal associations, such as for your site I could have chosen; “Holy mother of blip, I am so deadly scared now, that my hair stands straight up into the air”

All in all, significantly increasing the entropy, literally exploding it in size, while still making sure that the human brain is easily capable of remembering the actual password. This would also encourage users to make sure they use the “Remember me” checkbox when logging in, resulting in sending the password over the wire fewer times, arguably further increasing its security …


do you think it’s possible that you may be addressing the wrong audience?

I mean most of the reason that dumb password rules exist in the wild is because the software behind the password box allowed for the dumb rules to be defined… If the developers who wrote the rule definition software didn’t allow for dumb rules to be created in the first place, then the rule enforcers would be forced to come up with better rules.

For Example:

  • not allow the admin to drop the maximum password length below 20.
  • if the entered password matches some known good standard form, then ignore the BS rules set by the admin
    ** 128 to 256-Bit Base64: (?i)^[a-z0-9+/]{22,43}={0,3}$
    ** 128 to 256-Bit Ascii85: (?i)^[a-z0-9!#$%&()*+;-<=>?@^_`{|}~]{20,40}$
  • not allow the admin to disable copy/paste into the password box

built in password shaming may be a nice feature as well:
short password -> “My cell phone could randomly guess your password in x seconds”
password in a dictionary -> “I just used a thesaurus to guess your password in 0.00x seconds”


whoa, for the record ‘correct horse battery staple’ is not a human generated phrase it’s randomly generated by rolling dice and looking up words in a list big enough to be secure. Then taking what you rolled and writing a story to help you remember the random sample. (Unfortunately with Diceware’s word list though you need 20 words to get 258.496… bits of randomness)


Not only it the rule is bullshit. It also bullshit if you can not put the password in your brain. When you cannot remember it, you will have to write it down, or save it some where. That is the catch isn’t it!

For example, Bitlocker - I can never able to remember the 48 digit number, so I have to write it down, and bring it with me. So if I lost my laptop, I probably also lost my written keys carry with me at the same time. You don’t have to proof if Bitlocker have a back door or not. The back door is on you/user!!