Password composition policies are rules that dictate what constitutes an acceptable password to the user before they can proceed to create it.
Requirements include a minimum length, a mix of uppercase and lowercase letters, numbers, and special characters.
Research shows that users respond to these requirements in predictable ways when forced.
Composition policies can fail to deliver their intended security benefits.
Checking passwords against a blacklist is a more effective way to improve password security.
Evaluating password strength, not complexity, is also useful.
Length is the primary factor in characterizing password strength, so users should be encouraged to make their passwords as lengthy as they want.
A significant subset of users still choose easy-to-guess passwords, like P@ssword1, that meet policy requirements but remain highly vulnerable to attackers.
Improving password security can be done without sacrificing user experience.
Multi-Factor Authentication (MFA) is also a useful option for improving security.