Skip to main content Skip to secondary navigation Accessibility Feedback

Password rules are bullshit

This post about passwords from Coding Horror reminds us that most password rules are bullshit.

The two things that matter:

  1. Longer is always better.
  2. Don’t let users create obviously bad passwords, like:
    • Those that are on the top 50 or 100 most used password lists.
    • Their email address.
    • Their user name.
    • The URL of the site.

That said, they also pick apart the length requirement in a world of unicode:

No, seriously, it does. I’ll go so far as to say your password is too damn short. These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.

So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?

What about this four character password?


I’m going to be updating how WordPress for Web Apps handles password requirements based on some of this.

Have any questions or comments about this post? Email me at or contact me on Twitter at @ChrisFerdinandi.

Get the Spare Parts Newsletter

Every week, I send out a short email packed with web development resources and interesting stuff from around the web.