Why Your Signup Form Is Less Secure Than You Think (And How to Fix It)

You've seen those password rules. "Must be more than 8 characters. Must include a symbol. Must contain a number." They have good intentions, but have one fatal flaw. Us. You would hope everyone uses something more than " P@ssword1 " (or any of its many variants), but unfortunately, you'd be wrong. Photo of the Bastion Demo that shows the password: "P@ssword1" being included in 442,781 known breaches. So what is actually happening, and what can we do about it? These "traditional" password rules weren't wrong to exist, but they focus on the wrong thing. Primarily, they focus on what makes a password look complex, rather than what a machine considers "complex". That'd be fine, except most attacks don't work that way. Most passwords susceptible to this are brute forced, rather than recreated from over your shoulder. NIST (the National Institute of Standards and Technology) actually updated their guidelines recently, recommending longer minimum lengths and preventing the use of common, expe