The primary objective of a theoretically sound password formulation policy is password diversity – we want our identity system to contain lots of different, hard to guess passwords.
There are several ways to achieve this but unfortunately most of the common approaches in use today, such as length requirements, complexity requirements, and change requirements, are far from helpful.
Good password practices fall broadly into two categories: resisting attacks and containing successful attacks. There is however a third category, which is human nature. People react in predictable ways when confronted with password restraints and so guidance patterns need to be broken.
Guidance #1 – Length requirements
Excessive length requirements can result in user behaviour that is predictable and undesirable. As an example, users that are required to have a 16-character password may choose repeating patterns such as ‘passwordpassword’ that meet the requirement but are clearly not difficult to guess.
Long password requirements also guarantee all passwords will be within a few characters of the minimum required length, which makes it easier for attackers to successfully formulate their attacks. Long passwords also significantly increase the probability that users will adopt other insecure practices such as writing their passwords down or reusing them.
Longer passwords do increase the time it takes for a hashed password to be cracked however by the time you force users to get to passwords that are truly resistant to brute force attacks (around 18 characters), the resulting passwords are so long that they inevitably lead to poor behaviours as users struggle to remember them.
Guidance #2 – Requiring the use of multiple character sets
Most systems enforce some level of password complexity requirements such as using uppercase and lowercase letters, numbers, and other non-alphanumeric characters.
Most people use similar patterns such as a capital letter in the first position, a symbol in the last, sequential numbers. Malicious actors know this and run their dictionary attacks following that pattern and with common substitutions such as $ for s, and @ for a.
Guidance #3 – Password expiry for users
Password change offers little containment benefit as malicious actors will typically use a credential soon after compromise, and in most cases before any expiration timeframe dictated by the identity platform comes into effect.
Mandated password changes are a long-standing security practice, but research strongly indicates that password expiration has a negative effect. Experiments have shown that users do not choose a new independent password; rather, they choose an update of the old one (such as changing January2020! to February2020!). There is evidence to show that users who are required to change their password frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can easily guess.
For further reading, please see the original source which contains references to primary research.