atoponce, 6 months ago

I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:

1. Require at least 12 characters.
2. Use ZXCVBN to estimate password strength and require a score of 4.

Interestingly enough, if you do those two things, you don't need stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.

https://www.cc.gatech.edu/news/largest-study-its-kind-shows-outdated-password-practices-are-widespread

#passwords