… make it easy to remember and hard to guess.

We spend so much time trying to reduce the need for passwords it’s easy to overlook that password management itself can be improved. Some months ago the Cloud Foundry identity team restructured our approach to password policy. Luke Taylor posted about it on the Cloud Foundry blog. The new approach is inspired by the famous xkcd cartoon which uses “correcthorsebatterystaple”.  We don’t require specific punctuation, case or length. No stupid rules. We dynamically check the password as you type and update a password strength score using an algorithm and open source project also inspired by the xkcd comic. The dynamic feedback is quite intuitive. I’ve quickly learned what makes a strong password — and it’s not an underscore or using a number that looks like a letter. My password lengths have greatly increased but they are much easier to remember. Sometimes small steps are good.

I was reminded of all this by a recent blog post by Sid Sidner. My favorite link (though they are all good) is this one by Don Friesen:

Please do yourself a favor and watch it. It’s my new favorite to show anyone who asks what I do for a living. I tell them that I’m trying to eliminate the stuff this video is talking about. We all hate it so much we can (so far) only laugh about it.