What does a good password policy really look like?

Passwords should be the easiest area of security. Every organisation has a password policy. Every organisation used passwords. Everyone at every organisation uses passwords. Everyone has been trained how to do it. And everyone has been doing it for a very long time.

And they are doing it all wrong.

Password best practice advice is generic, well accepted, and often repeated dogma. But is it right?

In a search for the most common password recommendations, I asked ChatGPT for its password advice. ChatGPT — like all large language models (LLMs) — is a great way of discovering established norms as it takes existing knowledge and attempts to predict the most likely, but not necessarily the best, output. This means that regardless of whether the established norms are right or wrong, an LLM is a great way to find out what they are.

As expected, the model generated this very predictable list of advice:

“1. Length & Complexity: A strong password should be at least 12 characters long, include numbers, symbols, capital letters, and lower-case letters.

2. Avoid Common Words: Don’t use dictionary words, your own personal information, or common phrases as your password. They’re too easy to guess.

3. Unique Passwords…