For 5 decades we've gotten used to the following; "Choose a password with one small letter, one large letter, 1 number, and 1 special character". This is probably the dumbest decision software development as a profession collectively have done since we started coding in Fortran some 70 years ago. The reason is simple, people once confronted with the above have 3 choices, which are as follows.
- Reuse a password you've used another place
- Write down your password somewhere and store it
- Choose a password that's very short such that you can remember it easily
All of the above techniques for remembering passwords are ipso facto madness. Examples of great passwords are presented below.
- This is a very, very, very good password! YES REALLY!!
- Rainbows are funny, because they smell like unicorns
- I like turtles, but not the Ninja turtles
The above 3 examples are all extremely secure passwords. More importantly, if you use passwords such as the above, you don't need to write them down, you don't need to reuse passwords, and you can create them as long as you wish - Yet still easily remember them. However, more importantly, the above passwords are a bajillion times harder to hack than 12 random characters. To understand why, let's look at the base numbers for your passwords.
If you have 12 sequential characters conforming to a regex validator, you have roughly 70 to the power of 12 possibly combinations to test in order to brute force guess the correct password. This is easily achieved with a fancy pocket calculator today in some roughly 20 minutes.
If you create sentences, that have at least 12 words, there are (at least) 150,000 words in the English language, implying 150,000 to the power of 12 possible combinations to test before you've successfully brute forced the password. This is before we start considering slang words, such as "gr8" and "luv", in addition to bad English, such as the title of this article. As we add foreign languages, and/or alternative alphabets, such as Norwegian, Swedish or Greek letters, the entropy literally explodes.
If you've got a password which is a sentence of at least 8 words, hacking this password by brute force becomes literally impossible. However, a password regex validator prevents you from creating such passwords, because you'll need an "$" in there, you'll need a "1" in there, etc. Sentences containing special characters are not particularly easily remembered, and hence eliminates your ability to construct really, really, really good passwords, that you can easily remember.
At Aista we have taken this problem seriously, by simply removing all password validators entirely, allowing users to create whatever passwords they want to themselves. You can try it out below if you wish.