What is a Good (Enough) Password Policy
Password policy for an organization/website is a risk management question. There is no password policy standard that is consistently followed. Every organization makes a choice and creates one that fits their needs. They are similar but different. Some password policies are complete head scratchers. They have upper limits on the password length and exclude some special characters but not others. This causes the end-users to choose the least common password. Users commonly reuse the passwords and end up choosing a password that has the best chance of being widely accepted but is not very secure.
The Impact of Multiple Password Policies
Most people find it impossible to create a unique password for every site and is also customized to the site’s password policy. This is an very difficult and unnatural process for humans. This causes websites to lose customers because people cannot remember their passwords and users end up choosing weak passwords.
We in security community have been recommending users to use unique, complex passwords for every site. Over the years it is clear that this recommendation by itself is not workings. Users need help or they end up choosing weak passwords and unconsciously accept the risk of compromise.
How ReAn Helps
ReAn was developed to solve the password problem the human way. ReAn generates a unique password and super strong password that meets the password complexity requirement of the site. This helps the user because they just need to remember the secret and ReAn’s cryptography provides the strength. ReAn maintains a constantly growing list of sites and their password policies. In the event ReAn does not have the correct password policy, it will default to a very strong password policy that is accepted by most sites. You have the option to add a custom policy through ReAn if it does not already exists. Refer the video for details.