An Open Letter about Big All-Powerful Company’s Password Policy

Kelsey Bellew //

Dear Big All-Powerful Company,

Your idea of a ‘strong password’ is flawed.

When I first saw the following message, I laughed. I said out loud, “No, you have not seen that password before, ever; I guarantee it,” but I moved on.

I thought, no big deal, I’ll add some length.

And then adding length didn’t work.

You’re telling me you’ve seen the password I thought up just now, with a character length of THIRTY-SEVEN characters and a complexity of four, “too many times”. Really??

More length?


Are you flagging dictionary words? You have to be flagging dictionary words. What is your password policy, even??

So, at least eight characters, complexity of three; check. Big All-Powerful Company….. why??

You don’t allow Spring18 under the condition of ‘We’ve seen that password too many times before’, but Spr1ng18 is fine, huh?

And then I found out, you’re not flagging ALL dictionary words (just months and your company name, maybe?) when I looked at password policy in the Change Password page. There I was told that my password needed to be at least eight characters, a complexity of three and – oh look, no longer than 16 characters.

You mean to tell me that you consider a password that doesn’t fit within the bounds your text box is both ‘too long’ and ‘weak’.


For anyone who has a similar misconception, please review the following:

Also, here are a couple blog posts we’ve written that go further into depth as to why allowing passwords like Spr1ng18 is a bad idea and how to create better passwords:

How to Increase the Minimum Character Password Length (15+) Policies in Active Directory

10 Ways to Protect Your Online Digital Life

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand