Most users understand the nature of security risks related to easy-to-guess passwords. Password policies are a set of rules created to increase password security by encouraging users to create strong, secure passwords, and then properly store and utilize them.
The lesson here is that while adding numbers increases the strength, the passwords get a greater strength increase through even a small increase in length. A larger increase in length creates an enormous difference for creating difficult passwords. As a rule of thumb, each bit corresponds to doubling the number of possible options (and so doubling the amount of work an attacker needs to do).
As we built Discourse, I discovered that the login dialog was a remarkably complex piece of software, despite its surface simplicity. The primary password rule we used was also the simplest one: length. Since I wrote that, we've already increased our minimum password default length from 8 to 10 characters. And if you happen to be an admin or moderator, we decided the minimum has to be even more, 15 characters.
Lucky you, there are millions and millions of real breached password lists out there to sift through. It is sort of fun to do data forensics, because these aren't hypothetical synthetic Jack the Ripper password rules some bored programmer dreamed up, these are real passwords used by real users.
Items #3 through #5 are more like genie-special-exception checks, a you can't wish for infinite wishes kind of thing. It doesn't need to be discussed up front because it should be really rare. Yes, you must stop users from having comically bad passwords that equal their username, or aaaaaaaaaaa or 0123456789, but only as post-entry checks, not as rules that need to be explained in advance.
Typically, humans are asked to choose a password, sometimes guided by suggestions or restricted by a set of rules, when creating a new account for a computer system or internet website. Only rough estimates of strength are possible since humans tend to follow patterns in such tasks, and those patterns can usually assist an attacker. In addition, lists of commonly chosen passwords are widely available for use by password guessing programs. Such lists include the numerous online dictionaries for various human languages, breached[clarification needed] databases of plaintext and hashed passwords from various online business and social accounts, along with other common passwords. All items in such lists are considered weak, as are passwords that are simple modifications of them.
Previous password policies used to prescribe the characters which passwords must contain, such as numbers, symbols or upper/lower case. While this is still in use, it has been debunked as less secure by university research, by the original instigator of this policy, and by the cyber security departments (and other related government security bodies) of USA and UK. Password complexity rules of enforced symbols were previously used by major platforms such as Google and Facebook, but these have removed the requirement following the discovery they actually reduced security. This is because the human element is a far greater risk than cracking, and enforced complexity leads most users to highly predictable patterns (number at end, swap 3 for E etc.) which actually helps crack passwords. So password simplicity and length (passphrases) are the new best practice and complexity is discouraged. Forced complexity rules also increase support costs, user friction and discourage user signups. 2b1af7f3a8