My company just sent out this message to “align with cyber security industry recommendations”.
- Minimum 12 characters
- No complexity requirement—passwords may be a memorable phrase or sentence, with no required combination of letter cases, special characters or numbers
Did I miss something? Was I in the bathroom when the industry decided complexity doesn’t matter? What?!?
I get that users game the password complexity requirements sometimes, but surely the requirement is good for something.