If you intend on building a secure application, you should enforce strong password requirements to prevent bad actors from easily breaching your users’ accounts.
Having revamped our password requirements twice as part of our work at Infisical, I discuss everything about password requirements in this article from what’s silly about modern password requirements to NIST recommendations on how to make good ones.
What are password requirements?
To begin, a password requirement is any rule that a password must conform to. For instance, a requirement might be to include at least 1 uppercase character; a more stringent requirement might combine multiple rules together.
Having password requirements are important to mitigate risk since people are terrible at choosing good passwords. In fact, the infamous RockYou incident back in 2009 confirmed this fact when 32 million user accounts got breached and we learned just how terrible people were at choosing passwords — they were stored in cleartext. Consider these top six most commonly used passwords found during the breach:
- princess
- rockyou
- 1234567
- 12345678
- abc123
Unsurprisingly, by using sophisticated methods targeting leaked passwords and common patterns, bad actors routinely exploit such weak passwords and gain access to accounts wherever possible.
That said, by considering guidance set forth by the National Institute of Standards and Technology (NIST), various regulatory/compliance frameworks, and your specific circumstance; you can make it difficult for bad actors to brute-force passwords hopefully without sacrificing user experience.