New research, best practices, and technology change the way we think about password strength. We now know that commonly used heuristics thought to improve passwords actually break down for failing to consider one simple variable: people.

The LUDS requirement (lowercase, uppercase, digit, symbol), ostensibly to increase password complexity, provides little to no benefit, and may actually weaken passwords. This is because it wasn’t designed for people. Somehow, users need to remember their passwords. To make passwords memorable and still fulfill LUDS, they use simple, predictable transformations. For example P@ssw0rd is only slightly more secure than password, but still among the most easy-to-guess. xkcd illustrates the point succinctly:

Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Outdated thinking also supposes that mandatory password resets are good for security. But users apply the same simple transformations when forced to change their passwords. For example P@ssw0rd may become P@$$w0rd. It turns out that attackers are actually more likely to be able to guess future passwords if they compromise older, expired ones in such a system.

Even Bill Burr, author of the original password strength rules, has reversed himself. Though contrary to decades of previous thought, the new thinking is simple.

  1. Impose a minimum password length.
  2. Suggest, but don’t require, long, plain-language phrases.
  3. Implement two-factor authentication when possible.
  4. Don’t impose LUDS or other arbitrary complexity rules.
  5. And don’t require frequent password resets. The only time passwords should be expired is in the event of a suspected or known compromise.

Developers can implement more objective password strength testing with little effort. The handy tool zxcvbn scores password strength on a scale of 0 – 4, taking into account common passwords, dictionary words, transformations, and complexity as a whole, without imposing specific rules. It also estimates the amount of time that would be required for attackers to guess a given password under various conditions. Implementers then have a simple choice: what is the minimum acceptable strength?