• @rog@lemmy.one
    11 year ago

    Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns.
    [Capital letter]basic word(number){special character}

    Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.

    A non expiring, long, easily remembered passphase like
    forgetting-spaghetti-toad-box
    Is much more secure than a short password with enforced complexity requirements.

    • @kevincox@lemmy.ml
      11 year ago

      Drop “memorable”. 99.9% of your passwords should be managed by your password manager and don’t need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.