Rethinking Password Policies (uncut)
Abe Singer, Warren Anderson, and Rik Farrow
[NOTE: The abridged article appears in the print issue of ;login: (August 2013).]
We are all familiar with having “rules” for passwords: they must have characters from various character sets, have a minimum length, get changed regularly, not be written down, etc. These rules are supposed to make passwords “secure,” but there’s little to no research to support that argument. In fact, they can even weaken security. We argue that it’s time for a radical change of password policy.