Stumbled on an old stat about password length that blew my mind

I was digging through some old cybersecurity forums last night, you know the ones from like 2005, and I found a post where a sysadmin said his company required passwords to be exactly 8 characters with symbols and numbers. That was the standard back then I guess. But get this, he said they never had a single breach in 10 years with that setup. Now I look at my bank and they want 16 characters plus two factor, and I still get alerts about suspicious logins. Makes me wonder if we are overcomplicating things or if the bad guys just got way better. What kind of password rules does your job use now?

3 comments

3 Comments

phoenix_lewis16d ago

Is it just me or does anybody else feel like we are the ones being tested instead of the hackers? I once made my password so complicated that I locked myself out of my own account three times in one week, and the only "two factor" I needed was a nap to recover from the frustration.

the_christopher16d ago

I've noticed this same pattern with everything not just passwords. Car ignitions used to be a simple key and now you have push button start with key fobs that cost 400 bucks to replace and people still get their cars stolen. Same with phone locks, I had a four digit pin for years and nothing happened, now I need face ID plus a six digit code plus a backup code. It feels like security is a moving target and the rule makers are just throwing more layers on without really knowing if it helps. Does your company actually check how many of those extra security steps get bypassed by employees anyway?

john_fisher16d ago

My buddy works IT at a medium sized company and he told me they did an internal audit last year. Something like 60% of employees kept their complex passwords on sticky notes under their keyboards or in their desk drawers. So all those extra security rules they added were basically pointless because people just found the easiest way around them. He also said the push for mandatory two-factor got so annoying that managers started sharing a single company phone for everyone to use for the codes. So yeah I think you're right, the people making these rules probably have no clue what actually happens on the ground floor.