Open torarebel opened 6 years ago
nitrocode
commented
5 years ago Id like to see a way to get websites off of the list as well. Id imagine best practices would calculate entropy, maximum of 64 characters, and no copy paste prevention. As a bonus it would check passwords against already used ones in breaches using the troy hunt api.
duffn
commented
5 years ago As far as getting sites off of the list, PRs are certainly welcome to remove sites if they have improved the password rules.
And though I don't have any plans to work on an automated mechanism to remove sites, I am always open to new ideas and PRs.
nitrocode
commented
5 years ago @duffn what are your thoughts on best practices? or perhaps this can be a bit more tongue in cheek by listing
Make sure to...
Major:
Low:
four43
commented
4 years ago I like the idea of having a shame list, but I also like the idea of having actional best practices too to help those learn and get off the list.
allan-simon
commented
4 years ago 
medmunds
commented
4 years ago Likely many of the companies and organizations on this list got here because they were trying to follow what were at one time promoted as best practices for password management. (Or what their security consultants told them were the standards.)
And often, the people who see their organization in this list will be developers or other staff who aren't actually in charge of making decisions about password requirements. That is, they know what they're doing is outdated, but may not have the authority to take action.
I'd guess what's most useful for those folks would be updated standards and guidelines—from authoritative sources—that they can provide as evidence to the decision makers in their organizations. The OWASP cheatsheet above is one example. Here are a few more from government agencies:
georgehank
commented
2 years ago Good password policy: a minimum length, and that's it, and that's also pushing it.
Everything else is by definition dumb, as in: the more restrictive you go, the more people will use the simplest possible that complies. I once had (for local router password…) "UPPERlower1" because those were the rules. For a router that is only accessible from the local network, and where I was the only person on said network.
toraarebel
commented
2 years ago @georgehank Agreed!
duffn
commented
1 year ago I'll happily welcome any more discussion about how to best remove yourself from this list. There's even been some work on some guidelines here https://github.com/duffn/dumb-password-rules/pull/219
I am thankful that so many people have been willing to create this list.
Thank you!
We now have an ever-growing list of those that have it wrong. And it appears from this list that most sites have it wrong.
Here's a challenge: Tell us your preferred password policy that:
Not kidding! Come up with a "good" password policy - so at least when one of these sites fixes their password policy, you can kindly and unarguably remove them from the shame list.
You will be doing the world a great service! Then at least if everyone adopts your policy, everyone will have better passwords, and people can use passwords that follow a pattern even though not the same since everyone reading this knows you SHOULD (RFC 2119) use a different password everywhere.
Once you come up with that, comb through your list again and see if any site is already compliant.
Thank you - sincerely - thank you!