Editing Password (section)

==Password rules==
{{Further|Password policy}}

Most organizations specify a [[password policy]] that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g., upper and lower case, numbers, and special characters), prohibited elements (e.g., use of one's own name, date of birth, address, telephone number). Some governments have national authentication frameworks<ref>{{cite web |url-status=live |url=http://folk.uio.no/josang/papers/ATJK2012-SARSSI.pdf |title=Improving Usability of Password Management with Standardized Password Policies |archive-url=https://web.archive.org/web/20130620105044/http://folk.uio.no/josang/papers/ATJK2012-SARSSI.pdf |archive-date=20 June 2013 |access-date=12 October 2012 |first1=Bander |last1=AlFayyadh |first2=Per |last2=Thorsheim |first3=Audun |last3=Jøsang |first4=Henning |last4=Klevjer }}</ref> that define requirements for user authentication to government services, including requirements for passwords.

Many websites enforce standard rules such as minimum and maximum length, but also frequently include composition rules such as featuring at least one capital letter and at least one number/symbol. These latter, more specific rules were largely based on a 2003 report by the [[National Institute of Standards and Technology]] (NIST), authored by Bill Burr.<ref name=zdnet>{{cite web |url-status=live |url=https://www.zdnet.com/article/hate-silly-password-rules-so-does-the-guy-who-created-them/ |title=Hate silly password rules? So does the guy who created them |archive-url=https://web.archive.org/web/20180329160144/http://www.zdnet.com/article/hate-silly-password-rules-so-does-the-guy-who-created-them/ |archive-date=29 March 2018 |website=ZDNet |date= Aug 9, 2017 |first1= Liam |last1=Tung }}</ref> It originally proposed the practice of using numbers, obscure characters and capital letters and updating regularly. In a 2017 article in ''[[The Wall Street Journal]]'', Burr reported he regrets these proposals and made a mistake when he recommended them.<ref>{{cite web |url=https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 |title=The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d! |archive-url=https://web.archive.org/web/20170809080612/https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 |archive-date=9 August 2017 |website=The Wall Street Journal |first1=Robert |last1=McMillan |date=Aug 7, 2017 |url-access=subscription |url-status=live }}</ref>

According to a 2017 rewrite of this NIST report, a number of [[Website|websites]] have rules that actually have the opposite effect on the security of their users. This includes complex composition rules as well as forced password changes after certain periods of time. While these rules have long been widespread, they have also long been seen as annoying and ineffective by both users and cyber-security experts.<ref name=fort>{{cite web |url-status=live |url=http://fortune.com/2017/05/11/password-rules/ |title=Experts Say We Can Finally Ditch Those Stupid Password Rules |archive-url=https://web.archive.org/web/20180628015547/http://fortune.com/2017/05/11/password-rules/ |archive-date=28 June 2018 |website=Fortune |first1=Jeff John |last1=Roberts |date=May 11, 2017 |url-access=subscription }}</ref> The NIST recommends people use longer phrases as passwords (and advises websites to raise the maximum password length) instead of hard-to-remember passwords with "illusory complexity" such as "pA55w+rd".<ref>{{cite web |url-status=dead |url=https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ |title=NIST's new password rules – what you need to know |archive-url=https://web.archive.org/web/20180628015550/https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ |archive-date=28 June 2018 |website=Naked Security |first1=Chester |last1=Wisniewski |date=August 18, 2016 }}</ref> A user prevented from using the password "password" may simply choose "Password1" if required to include a number and uppercase letter. Combined with forced periodic password changes, this can lead to passwords that are difficult to remember but easy to crack.<ref name=zdnet/>

Paul Grassi, one of the 2017 NIST report's authors, further elaborated: "Everyone knows that an exclamation point is a 1, or an I, or the last character of a password. $ is an S or a 5. If we use these well-known tricks, we aren't fooling any adversary. We are simply fooling the database that stores passwords into thinking the user did something good."<ref name=fort/>

Pieris Tsokkis and Eliana Stavrou were able to identify some bad password construction strategies through their research and development of a password generator tool. They came up with eight categories of password construction strategies based on exposed password lists, password cracking tools, and online reports citing the most used passwords. These categories include user-related information, keyboard combinations and patterns, placement strategy, word processing, substitution, capitalization, append dates, and a combination of the previous categories<ref>P. Tsokkis and E. Stavrou, "A password generator tool to increase users' awareness on bad password construction strategies", 2018 International Symposium on Networks, Computers and Communications (ISNCC), Rome, 2018, pp. 1-5, {{doi|10.1109/ISNCC.2018.8531061}}.</ref>