While Passkeys are still relatively new, some people may not be able to use them. That’s going to be a fact of life. But it isn’t hard to make a website come up with the minimum requirements that must be followed today.
If the character limit for minimum requirements is 8, we don’t necessarily have to tell users to use long, complex, hard to remember passwords. A Passphraise is just as good and it can be memorable if you do it correctly.
What’s still interesting about this article is that they are saying that sites should allow spaces within passwords. This is the second article that has talked about using spaces within passwords.
I’d be curious on what experts who come across this have to say. Post your responses, we’d love to hear from you!
Here are some interesting stats from this latest study found.
- • 12% of the websites they looked at completely lack password length requirements
- 3 out of 4 fail to meet minimum requirement standards which means they:
- Allow very short passwords
- Do not block common passwords
- Use outdated requirements like complex characters
The study also says that more than half of the websites surveyed still allowed 6 characters or less for a password. I think our web site services have changed this, especially for account creation services like email and FTP.
The reasons not to enforce standards are obvious. Make it easy for people to use the service, don’t have too many password resets and everyone is happy. But my opinion is this: with all of the breaches we’ve had, would you like to jeopardize your data or have a more secure network with a bit of some complication by users not understanding why? I’d rather have the latter, but then again, I’ve seen everything to date where others haven’t.
One of the things I disagree with is the changing of passwords after so many days. I understand that NIST, the National Institute of Standards and Technology indicate that its not necessary for us to do that as it is counterproductive. But not using some sort of complex password or passphraise is just asking for trouble.
While I agree that passkeys are probably a better solution, I don’t know how they work or even if its supported by sites. In the meantime, a password manager can be helpful in this matter as you can set the length and complexity of the password and of course, it remembers it for you so you don’t have to.
The IOS Keychain is the easiest to use, but it isn’t cross platform such as Lastpass, 1password and others.
To learn more about some password managers, listen to podcast 170 over the Thanksgiving holiday. We talk about some of the features some offer that might be of value.
For more about the study I’m writing about, please check out the Malware Bytes article: Many major websites allow users to have weak passwords.
What are your thoughts? Let’s hear from you!
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.