Slashdot Asks: Are Password Rules Bullshit?

Here's what Jeff Atwood, a founder of Stack Overflow thinks: Password rules are bullshit. They don't work.
They heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.
They frustrate average users, who then become uncooperative and use "creative" workarounds that make their passwords less secure.
Are often wrong, in the sense that they are grossly incomplete and/or insane.
Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won't take my word for it, read this 2016 NIST password rules recommendation. It's right there, "no composition rules". However, I do see one error, it should have said "no bullshit composition rules". What do you think?

Re:Customer Psychology

[Ryanrule]

Just use one of those weak/medium/strong meters. Pick a strength at random.

Re:In your face Betteridge!

[Hognoxious]

Why couldn't they hash & store each character separately - so it's effectively multiple short passwords?

Re:Of course you are right - but how to make it st

[MightyYar]

Make sure the creases in your aluminum hat are sharp and at a 60 degree angle.

Re:In your face Betteridge!

[Oswald+McWeany]

Things you should never use as a password:

1) Your first pet's name
2) The street you grew up on
3) The model of your first car

Things banks use for "security questions":

see above.

That why I always use Password123

Re:£B{:

Depends on the security questions. For example, a few of them that I use:

"What is the surname of your last parole officer?"
"What was the judge that signed your last peace bond?"
"What items were in the property room the last time you made bail?"
"What street was it that you were arrested on?"
"How many inches deep a grave did you did for the bodies?"
"When you were arrested for DWI, how many feet did you make it with the sobriety test before falling down?"
"Was was the badge ID of your last arresting officer?"

Those tend to be fairly hard to find, as opposed to someone's dog name.

Re:What is truly bullshit...

[Rei]

Indeed. I have a password that I use for all of the diverse sites that I don't give a rat's arse about. What's someone going to do if they compromise it, make fake posts as me? Ooh, shudder.

Re:Let me see what I type

[freeze128]

Yes! I agree. Let him see his password as he types it. I'm standing over his shoulder....

Re:Obligatory XKCD

[tehcyder]

Aka, if the last letters the person typed in were "stapl", what do you think the next letter is going to be?

In what circumstances would I know what the last letters the person typed in were? Passwords don't work like that. The only circumstances this may be known is with a key-logger, in which case all bets are off. I don't have to work out what the next letter might be. Just wait and I'll be told.

But I've seen in Hollywood films how they attach a device that cracks passwords one number/letter at a time.

Apropos joke in inbox today

[mpercy]

WINDOWS: Please enter your new password.
USER: cabbage
WINDOWS: Sorry, the password must be more than 8 characters.
USER: boiledcabbage
WINDOWS: Sorry, the password must contain 1 numerical character.
USER: 1 boiledcabbage
WINDOWS: Sorry, the password cannot have blank spaces.
USER: 50fuckingboiledcabbages
WINDOWS: Sorry, the password must contain at least one upper case character.
USER: 50FUCKINGboiledcabbages
WINDOWS: Sorry, the password cannot use more than one upper case character consecutively.
USER: 50FuckingBoiledCabbages ShovedUpYourAssIfYouDon'tGiveMeAccessNow!
WINDOWS: Sorry, the password cannot contain punctuation.
USER: ReallyPissedOff50FuckingBoiledCabbages ShovedUpYourAssIfYouDontGiveMeAccessNow
WINDOWS: Sorry, that password is already used.