Why Strict Password Rules Fail and How to Design Better Policies

Problem

Many sites enforce password policies that require at least one uppercase letter, one lowercase letter, and a digit. While a password like Abcd1234 passes the check, a passphrase such as mu-icac-of-jaz-doad is rejected, even though it is longer and more random.

The author argues that these rules do not actually encourage stronger passwords. They create inconvenience, especially on devices without a password manager, and can lead users to choose predictable passwords like Loverboy1964 that still satisfy the rules.

Proposed Solution

Instead of forcing complex patterns, increase the minimum password length and forbid simple sequences. For example, reject any three‑digit sequence with the regular expression /[0-9]{3,}/, and prevent the same character from appearing three times in a row with /(.)\1{2,}/. These checks remove most weak passwords without unduly restricting user choice.

Update – Use a Strength Meter

A more modern approach is to drop composition rules entirely and rely on a password‑strength estimator. The open‑source library zxcvbn (GitHub: https://github.com/dropbox/zxcvbn) and its PHP port (GitHub: https://github.com/bjeavons/zxcvbn-php) evaluate passwords based on entropy, dictionary words, and common patterns, providing a single “minimum strength” requirement.

This method focuses on overall password quality rather than specific character classes, avoiding false negatives such as a long string of repeated characters.

Laravel Example

Using Laravel’s authentication scaffolding, you can add a custom validation rule that applies the regular expressions above and returns a helpful error message when the password does not meet the criteria. The rule can be implemented with preg_match in the controller.

GitHub: https://github.com/dropbox/zxcvbn

PHP port: https://github.com/bjeavons/zxcvbn-php

Related Comic

The classic xkcd password‑strength comic illustrates why longer passphrases are preferable to complex but short passwords.