Why most password requirements are silly. Also, here’s our flavor
<p>If you intend on building a secure application, you should enforce strong password requirements to prevent bad actors from easily breaching your users’ accounts.</p>
<p>Having revamped our password requirements twice as part of our work at <a href="https://github.com/Infisical/infisical" rel="noopener ugc nofollow" target="_blank">Infisical</a>, I discuss everything about password requirements in this article from what’s silly about modern password requirements to NIST recommendations on how to make good ones.</p>
<h1>What are password requirements?</h1>
<p>To begin, a password requirement is any rule that a password must conform to. For instance, a requirement might be to include at least 1 uppercase character; a more stringent requirement might combine multiple rules together.</p>
<p>Having password requirements are important to mitigate risk since people are terrible at choosing good passwords. In fact, the infamous <a href="https://en.wikipedia.org/wiki/RockYou" rel="noopener ugc nofollow" target="_blank">RockYou</a> incident back in 2009 confirmed this fact when 32 million user accounts got breached and we learned just how terrible people were at choosing passwords — they were stored in cleartext. Consider these top six most commonly used passwords found during the breach:</p>
<ul>
<li>princess</li>
<li>rockyou</li>
<li>1234567</li>
<li>12345678</li>
<li>abc123</li>
</ul>
<p>Unsurprisingly, by using sophisticated methods targeting leaked passwords and common patterns, bad actors routinely exploit such weak passwords and gain access to accounts wherever possible.</p>
<p>That said, by considering guidance set forth by the <a href="https://www.nist.gov/" rel="noopener ugc nofollow" target="_blank">National Institute of Standards and Technology (NIST)</a>, various regulatory/compliance frameworks, and your specific circumstance; you can make it difficult for bad actors to brute-force passwords hopefully without sacrificing user experience.</p>
<p><a href="https://medium.com/@tony.infisical/password-requirements-are-still-confusing-in-2023-also-heres-our-flavor-44ce03a3255c">Visit Now</a></p>