I had an argument with a very smart, very capable server-side programmer a few years ago when I was integrating a project of my own with the Web services API (application programming interface) that he and his group had built. I was relying on his firm to manage the user session, including account information and password but no financial details, and I thought the password policy was rather elaborate, while also not encouraging good passwords.
I can’t remember the precise details, but I believe it involved the usual requirement of uppercase and lowercase characters, both a minimum and maximum length, and numerals and punctuation.
My missive to him noted, “Entropy is better served by a longer memorable password than complex ones.” His argument was that people chose terrible passwords already, so enforcing some minimal complexity was better than allowing anything. We left it at that.
To read this article in full or to leave a comment, please click here
