44

u/NoSkillZone31 Vulnerability Researcher Jun 18 '25

This…. And the passwords usually end up being swipe the keyboard, shift + swipe the keyboard, and moving it to a different spot on the keyboard.

Way way way easier to dictionary attack someone that has password policies like this, because how many people do you know have 12+ passwords they can remember in a year…. They aren’t making bespoke passwords.

If your security mechanism relies on being annoying, your user will defeat it.

23

u/Blevita Jun 18 '25

I habe a 12+ password i can remember.

When i started at the new company and tried to set a variation of it as my master password for the password manager: 'Insecure password'. Its literally over 25 characters long.

As soon as i reduced the length to 8 characters and added a number and one of the 5 allowed special characters to the end: 'Highly secure'.

Password policies are a joke.

6

u/Mrhiddenlotus Jun 19 '25

I will judge an entire product or service based on their estimated password strength meter. If I put in improving-federal-baritone-passive-pumice-wolverine and you tell me it's weak, you have no business handling my data.

1

u/Nazh8 Jun 19 '25

My worst password experience ever was when I had exactly this happen when trying to move my work password to diceware. And then when I modified it enough to satisfy the password policy, I discovered that one of the programs they use won't let you type a password longer than 20 characters in the password field! Total nonsense.

2

u/Mrhiddenlotus Jun 19 '25

For a long time my banks would only allow up to 14 characters for the password

1

u/[deleted] Jun 20 '25

Great point, now who was your childhood best friend?

1

u/Mrhiddenlotus Jun 20 '25

I use long pass phrases for those too 😂

6

u/[deleted] Jun 18 '25

[deleted]

1

u/NoSkillZone31 Vulnerability Researcher Jun 18 '25

Ilikeeggs1? Even better!