Reality check: A public service announcement about passwords

If anyone ever says to you, “your password must contain one capital, a digit,…”, you can be certain that they are an idiot, and that they do not understand security. If you encounter such requirements in software, then it was written by an idiot—or it was written to a standard which was written by an idiot.

I’m serious. This is not hyperbole. Anyone who says such things truly has not even the most basic understanding of computer security. You should immediately stop trusting them with anything related to computer security.

To begin to understand why this is true, please enjoy this wonderfully explanatory cartoon from XKCD: Password Strength.

The cartoon is fun, but its core point about the critical feature of your passwords being the amount of entropy they contain will make you smarter than the vast majority of people.

ɕ

I write here most days — reflections, quotes, and working with the garage door up. This is one of more than 5,000 posts. Wander to another →

If you like the way I think, you might like what I’m reading. Every so often I send out 7 for Sunday — seven things I’ve savored, about five minutes, whenever they’re ready. No hooks, no nonsense. Read a recent issue →