I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:
1. Require at least 12 characters.
2. Use ZXCVBN to estimate password strength and require a score of 4.
Interestingly enough, if you do those two things, you don't have to have stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.
https://www.cc.gatech.edu/news/largest-study-its-kind-shows-outdated-password-practices-are-widespread
#passwords
Aaron Toponce ⚛️:debian: /
npub14d…s5uyy
2023-11-26 14:46:09
Author Public Key
npub14dfr55yyvfw0leduur7e4af7fnkeegww6e2n64laxkkdyn4sufrqhs5uyyPublished at
2023-11-26 14:46:09Event JSON
{
"id": "23224638af4541032ccbe68a97980eb985e4a3906d2bb2573be1f3822a7968b7",
"pubkey": "ab523a5084625cffe5bce0fd9af53e4ced9ca1ced6553d57fd35acd24eb0e246",
"created_at": 1701009969,
"kind": 1,
"tags": [
[
"t",
"passwords"
],
[
"proxy",
"https://fosstodon.org/users/atoponce/statuses/111477389331288547",
"activitypub"
]
],
"content": "I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:\n\n1. Require at least 12 characters.\n2. Use ZXCVBN to estimate password strength and require a score of 4.\n\nInterestingly enough, if you do those two things, you don't have to have stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.\n\nhttps://www.cc.gatech.edu/news/largest-study-its-kind-shows-outdated-password-practices-are-widespread\n\n#passwords",
"sig": "af908f1a274ceb4eb029f3315dd97972f1ae53ef27364dc7803ddd19a0941b622e55c3fc6762a88f73b1c4bbc7ffd07f4d515627ac7ae3c9a148c7584581e257"
}