Dumb Password RulesAug 19, 2023

This dumb password rule is from Nevada DMV.

- Password length must be exactly 8 characters in length
- Password must contain at least one letter (any position)
- Password must contain at least one number (any position)
- Password must contain one of the following special characters: @ # $
- Password is not case sensitive

https://dumbpasswordrules.com/sites/nevada-dmv/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Nevada DMV - Dumb Password Rules

- Password length must be exactly 8 characters in length - Password must contain at least one letter (any position) - Password must contain at least one number (any position) - Password must contain one of the following special characters: @ # $ - Password is not case sensitive

Show threadJordan (Damn Good Tech)
@dumbpasswordrules In a cybersecurity class in college I made the case that complex password rules can make passwords *less* safe because it essentially whittles down variations and allows a more defined "schema" attackers can use for brute force password attacks.
Aug 19, 2023 at 2:11pmWeb
Show threadF13Aug 20, 2023

@damngoodtech @dumbpasswordrules Mathematically correct but functionally wrong. The "best case" password gets worse, but both the worst case and average case get better. Since the best case password is still definitley strong enough under most "complex" schemes, it still meets the goal of better passwords.

That's excluding ridiculous rules like max lengths, of course. And that's not to say there isn't a way to increase password security in a way that isn't infuriating to the humans using them.

Show threadF13Aug 20, 2023
@damngoodtech @dumbpasswordrules Plus, it's the "worst case" password that attackers are targeting, so improving that at the expense of other passwords is still a valid tradeoff, even if it made the average case worse too.