The "character class" requirement really doesn't add much security. And the "password rotation" policy can actually result in worse passwords than otherwise. Those measures were effectively just folk medicine from the days when the threat was thought to be someone manually trying to brute-force your password at your terminal.

You're probably right that, in practice, the character class doesn't automatically add security if the password is sufficiently strong and random. The theory is that by introducing special characters you're decreasing the likelihood of having characters that are commonly found together, thus decreasing the effectiveness of dictionary attacks.

Of course modern dictionary algorithms will still look for characters that are commonly used as substitutes for letters ($ = s, # = h, ! = 1 etc.) so really you just want your password to be random, long and unique.

Vast majority of passwords will have just 1 symbol, either at the start or end, or replace A with @, S with $, etc

P@55w0rd!

Is an awful password, yet meets many security policies

P@ssword2, P@ssword3, P@ssword4 etc

Also meet them, and rotate just fine.

Meanwhile

dadbffc67f798e8e0b7441fb995aeabe

Is perfectly fine, but often is not allowed

> Is perfectly fine, but often is not allowed

Nor is "correct horse battery staple". For wanting symbols, so many password systems really hate spaces.

I can't tell you how pissed I was when the ex-Pres revealed my password with his "Man Woman Camera TV" rant.

correct horse battery staple is a terrible password :D

Check out the reference here: https://xkcd.com/936/

That's what makes it a bad password.

It's a fantastic example of both how to create memorable high entropy passwords, and a class of passwords that many systems don't allow.

I don't think anyone, even the original responder, views it as an actual password we should all use.

I think you missed a smiley. Here I am, explaining a joke.

I end passwords with "1Aa" or "1Aa," to appease all these random requirements.

Don't worry, the first 10 letters are randomly generated a-z or a-z0-9.

The NIST guidelines address that in a much more straightforward way: maintain a list of known bad passwords (e.g., HIBP) and prohibit users from using any of those. Character class requirements are pointless.

> can actually result in worse passwords than otherwise

Does actually. I still require some of the password "rotation" schemes folks would use when we were forced to change them monthly (not a typo, sadly):

1qaz2wsx -> 2wsx3edc -> 3edc4rfv...

Pass1word -> Pass2word -> Pass3word...

“February, 2022”

Upper case, lower case, digit, special character, does not match any previous password, changeable monthly without having to write it down…

> The "character class" requirement really doesn't add much security.

If you're generating your passwords randomly (using a password manager) it actually reduces security because it reduces the set of acceptable passwords.

Requiring special characters also reduces the set of allowable passwords by eliminating all passwords that don’t contain at least one special character. The best practice for maximizing the set of acceptable passwords would be to allow, but not require, special characters (and to allow as many of them as possible, not the narrow subset of special characters applications often allow).

That might be the only way to guarantee secure passwords across a platform/company. Of course, then you have to make sure people don't write it on sticky-notes under their desks...

Like how the Nazis thought they were so clever for preventing the enigma machine from repeating letters in the output. You’ve just reduced your entropy, sucka !

Not to mention it makes it harder to use the password in automated systems, as lots of places try to parse (or can't encode properly) $, /, -, and others.

I worked on Identity, Credentialing and Access Management (ICAM as it's known) in the Federal space for a while.

The U.S. Fed Gov has been implementing MFA with smart cards since 2001. While there are pockets of ineptitude and resistance, the vast majority of government employees and contractors use a hard token second factor.

Security is a property of a system, so analyzing a particular password policy outside of the given context (mandatory hard token MFA) is nonsense.

Yes, and the latest Zero-Trust guidance is actually legitimately good - it enforces a security practice on all gov agencies that will be better than 99% of the private sector. The password policy is just one line, but still a welcomed slap on the face of all Old Guard folks (who are overrepresented in infosec policy-making). The rule is clear: MFA or GTFO.

And with physical MFA you can get down to PIN level (ie, 6 digits) and you are beating 90% of other methods.

> In practice, this new rule contradicts almost every InfoSec stance out there

Yeah, that's because those stances are not based in fact, but repeated bad ideas left over from the 70s and 80s.

> almost every InfoSec stance out there

Except other national bodies like NCSC [1], and long-standing academic research e.g. [2, 3], that is!

1. https://www.ncsc.gov.uk/collection/passwords/updating-your-a...

2. https://dl.acm.org/doi/abs/10.1145/1866307.1866328

3. https://link.springer.com/article/10.1007/s10623-015-0071-9

In practice, when dealing with US auditors and infosec chiefs, saying that "Some researches/guidelines say X is not necessary" will not compel anyone to change because "This is always been this way, and it doesn't _hurt_". The conversation becomes categorically different if you say "The White House says X is not allowed anywhere."