In every organization I have worked with managing user authentication and passwords was a huge challenge. The key issue was that the “old” password best practices were failed attempts to fix the user, not the system.
In order for passwords to be difficult to crack they should be both long and complex. Since people have a very hard time remembering long passwords we have accommodated shorter passwords - by adding rules to ensure a minimum level of complexity. Unfortunately this makes the resulting password challenging for a person to remember.
Length is actually more relevant to cracking difficulty than complexity. For short passwords we can literally try every possibility, thus complexity does not even matter. It is much better to have longer passwords (with less enforced complexity), i.e. a “pass phrase”. E.g. “ilovewatchingthesopranos” is much more secure than “Xc$1>”.Read On