Stop Forcing Complex Passwords on the Web
Many websites today require complex passwords with these rules: A capital letter A special character At least one number A minimum of six to eight characters How Do Users Respond? Most people follow these rules in predictable ways: Capital letter? The first letter: "Password" Special character? Usually "!" or "@", at the end: "Password!" One number? Often "1", also at the end: "Password1" Minimum length? They just keep adding numbers: "Password123" Are These Passwords Secure? Let's check how often these appear in data breaches: Password!123 – 1,831 times Password! – 7,694 times password! – 115,257 times Password123 – 130,684 times password123 – 343,763 times password1 – 3,383,590 times password – 11,394,719 times Clearly, many people treat password creation as just another required step, and the rules don't stop weak passwords The Purpose of Complex Passwords The goal of complex passwords is to prevent attackers from guessing them in a reasonable amount of time. A few decades ago, when passwords were mainly used for encrypted documents or local systems, this made sense. Websites didn't enforce strict password policies, two-factor authentication (2FA) wasn't common, and brute-force attacks were somewhat feasible But in today's web-based world, strict password rules feel outdated. They're a relic from a time when a lot of systems didn't have much money, they were not online, and multi-factor authentication didn't exist Now, even logging into a personal computer may require a second factor – so why force users to create complex passwords for websites? What Can Websites Do Instead? Introduce login delays – Even a 200–500ms delay can slow down brute-force attempts without bothering users Limit login attempts – Restrict retries per account or IP (without locking out legitimate users too quickly) Use two-factor authentication (2FA) – If 2FA is properly implemented, password complexity becomes much less important Use CAPTCHA – Automated bots can be stopped with CAPTCHA, but choose a solution that doesn't require users to select fire hydrants or traffic lights A deeper look into these alternatives will be covered in another publication note, but let's focus on passwords for now Instead of forcing complex passwords, consider: Assessing if it's really a problem Informing users about weak passwords If a user's account security doesn't actually depend on password complexity, stop making it harder for them. The only reasonable requirement for web passwords is a minimum length P.S. If a website restricts password length (e.g., 24 or 32 characters), it's a red flag. Proper password handling (like PBKDF2) ensures that length shouldn't impact performance. Some sites even limit passwords to 49 characters – completely strange
Many websites today require complex passwords with these rules:
- A capital letter
- A special character
- At least one number
- A minimum of six to eight characters
How Do Users Respond?
Most people follow these rules in predictable ways:
- Capital letter? The first letter: "Password"
- Special character? Usually "!" or "@", at the end: "Password!"
- One number? Often "1", also at the end: "Password1"
- Minimum length? They just keep adding numbers: "Password123"
Are These Passwords Secure?
Let's check how often these appear in data breaches:
- Password!123 – 1,831 times
- Password! – 7,694 times
- password! – 115,257 times
- Password123 – 130,684 times
- password123 – 343,763 times
- password1 – 3,383,590 times
- password – 11,394,719 times
Clearly, many people treat password creation as just another required step, and the rules don't stop weak passwords
The Purpose of Complex Passwords
The goal of complex passwords is to prevent attackers from guessing them in a reasonable amount of time. A few decades ago, when passwords were mainly used for encrypted documents or local systems, this made sense. Websites didn't enforce strict password policies, two-factor authentication (2FA) wasn't common, and brute-force attacks were somewhat feasible
But in today's web-based world, strict password rules feel outdated. They're a relic from a time when a lot of systems didn't have much money, they were not online, and multi-factor authentication didn't exist
Now, even logging into a personal computer may require a second factor – so why force users to create complex passwords for websites?
What Can Websites Do Instead?
- Introduce login delays – Even a 200–500ms delay can slow down brute-force attempts without bothering users
- Limit login attempts – Restrict retries per account or IP (without locking out legitimate users too quickly)
- Use two-factor authentication (2FA) – If 2FA is properly implemented, password complexity becomes much less important
- Use CAPTCHA – Automated bots can be stopped with CAPTCHA, but choose a solution that doesn't require users to select fire hydrants or traffic lights
A deeper look into these alternatives will be covered in another publication note, but let's focus on passwords for now
Instead of forcing complex passwords, consider:
- Assessing if it's really a problem
- Informing users about weak passwords
If a user's account security doesn't actually depend on password complexity, stop making it harder for them. The only reasonable requirement for web passwords is a minimum length
P.S. If a website restricts password length (e.g., 24 or 32 characters), it's a red flag. Proper password handling (like PBKDF2) ensures that length shouldn't impact performance. Some sites even limit passwords to 49 characters – completely strange
