a companion discussion area for blog.codinghorror.com

Password Rules Are Bullshit


Only way I see it’s possible to sort this problem is when people decide to live right and we won’t need passwords.

Like Einstein said: Problem cannot be solved from this same level of consciousness it was created from.
I now understand what he was talking about.

We fight with reflection in a mirror and try to protect ourselves from our own shadows.


I got tipped of about your article having written something similarly myself, where instead of encouraging my users to use characters, I encourage them to use sentences. Since the vocabulary of the English language alone is roughly 150,000 words, before we start adding slang words, other languages (I am a Norwegian myself), and the fact that most people can create some simple phrases in a whole range of different languages, such as Spanish (Hasta la vista), Arabic (Allahu akbar), Yoda speak (The force in you, truly is strong my son),etc, etc, etc - I concluded with that increasing it even further, to 25 characters, while encouraging my users to use complete sentences would probably result in even larger entropy.

If you’d like to read my ramblings, feel free to check it out here

Now of course, the idea is that even a sentence with an astonishingly high amount of entropy, is still dead simple for the user to remember, without having to write it down. While at the same time, the statistical probability of that he’ll need to reuse passwords, becomes significantly reduced - At least passwords he has used previously, since these would historically for the most parts have been consisting of 8-10 character passwords.

In addition, creating a unique password for each service, would be easy since the user could use his own personal associations, such as for your site I could have chosen; “Holy mother of blip, I am so deadly scared now, that my hair stands straight up into the air”

All in all, significantly increasing the entropy, literally exploding it in size, while still making sure that the human brain is easily capable of remembering the actual password. This would also encourage users to make sure they use the “Remember me” checkbox when logging in, resulting in sending the password over the wire fewer times, arguably further increasing its security …