Skip to main content Accessibility Feedback

Password rules are bullshit

This post about passwords from Coding Horror reminds us that most password rules are bullshit.

The two things that matter:

  1. Longer is always better.
  2. Don’t let users create obviously bad passwords, like:
    • Those that are on the top 50 or 100 most used password lists.
    • Their email address.
    • Their user name.
    • The URL of the site.

That said, they also pick apart the length requirement in a world of unicode:

No, seriously, it does. I’ll go so far as to say your password is too damn short. These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.

So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?

What about this four character password?


I’m going to be updating how WordPress for Web Apps handles password requirements based on some of this.

🚀 Make 2018 the year you master JavaScript! My pocket guides and mini courses are short, focused, and made for beginners. You can do this!

Have any questions or comments about this post? Email me at or contact me on Twitter at @ChrisFerdinandi.

Get Daily Developer Tips