In the old days, most people pick passwords that are easy to remember. Even nowadays, sometimes we still find end-users using simple passwords like asdf1234 or password during our password brute-force hacking check. There are also some seemingly very “creative” passwords, like fxxk<bossname>, ilove<private body parts>… But believe me, many people have been doing this so it is not really that creative.
This is understandable but unacceptable. Since users tend to pick simple password no matter how well informed they were over the security threat in the virtual space, the best way to prevent users from using a simple password is by enforcing complex password rules.
So no more birthday or phone number, dictionary words, etc. The system will reject your password by telling you that “Your new password does not meet our criteria, please input a password with more than 8 characters, at least one symbol like #$%$%, not same as your previous 10 passwords, etc, etc, etc……..”
I loved to see this message, as an IT Auditor / IT Consultant, this message implied my client had enforced strong password policy and hence less work for me, until one day this message popped up when I was changing my company’s password.
Since then, picking a new password becomes one of the most annoying tasks to me. Especially if…
