Coconut Calendar is updating their password requirements and I want to explain why.
We had fairly weak password requirements, and we've been lucky that nothing bad ever came of it. But over the past few months we’ve really prioritized privacy and security, and one of the first things we wanted to address were our password standards.
We started by rolling out a password manager to all our staff to protect the passwords for the products we use every day. Doing so proved that even our most security minded staff had room for improvement.
When it came time to discuss what we should require out of our user passwords, there were a lot of opinions. We discussed alphanumeric requirements, special characters (!@#$%), duplicated characters, etc. In the end, we looked to the National Institute of Standards and Technologies (NIST).
LONGER IS STRONGER, MOST OF THE TIME
We took NIST’s advice, which is similar to Microsoft’s recommendations (PDF) and went with a 10 character minimum, with no requirements regarding composition. We also didn’t set an arbitrary limit on how long it can be, there is a limit, but I doubt anyone would ever hit it without really, REALLY trying, and it’s only there to keep things from breaking.
We chose to institute a 10-character minimum largely because for every character you add over 10, your password will be exponentially harder to crack… unless you choose something like password12. Please don’t use password12 as your password.
COMPLEXITY REQUIREMENTS DON’T HELP
One thing I hate when I sign up for a new site/service is having to come up with some overly complex password to meet their overly complex password requirements. Namely because they’re unnecessary, and really don’t help. What happens when you have to use a certain number of numbers or special characters or capital letters? Statistically people capitalize the first letter of their password, replace “e” with “3” and “h” with “#”, and so on. Because of this it makes P@ssw0rd12 as easy to crack as password12. So, no complexity requirements here. We will show you how strong your password is when you create a new one, but if you choose a weak password, we won’t stop you.
PASSWORD HINTS? NO THANKS.
Why not? They don’t work. If you forget your password we have a reset link that will send you an email that has a link in it to reset your password. That’s it.
SIMPLIFY YOUR APPROACH
Like I said before, we’ve embraced password managers here at Coconut Calendar, and that’s our recommendation here too. There are loads of them, some are even free for individuals. We use Dashlane, but there are plenty of others.
Why would we recommend a password manager? One, you don’t have to remember every password you’ve ever created. Two, they can generate secure passwords for you, and that’s a good thing.
NO MANDATORY PASSWORD CHANGES
In several of my previous jobs we had mandatory password changes, and those were my least favorite days at work for obvious reasons. I hated having to update my password when I didn’t have the ability to use a password manager to generate and remember my new password. I fell into a trap that I knew was problematic, but I had too much to do than to come up with a new password every 60 or 90 days, so I did what any normal person would do, I added a 1 or ! to the end of my existing password and went on about my business.
We won’t make you change your password unless we tell you to, and we’ll only tell you to if we think it might have been compromised.
We take security seriously at Coconut Calendar, and part of that is making sure your personal information is kept safe, and the best way to do that is to choose a strong password when you sign up.