Some Passwords Should Be Exceptional

2024-11-24

When you’re using a password manager, they usually come with a tool to generate passwords as well. Mostly, they either generate a series random characters, or a longer series of random real words. Both are secure enough to be effectively uncrackable, given the right parameters.

For my own passwords, I mostly have been using a wordlist to generate passwords. They’re plenty long- ending up being over 60, sometimes 80 or more characters, and beyond 128 bits of entropy- Perfectly acceptable. Slap 2FA on top of that, and you’re golden.

But despite it all, the password still needs to include a number…

It’s a case that happens all the time.
I had experienced this setting up a GoFundMe account to raise funds for my cat.

To solve the ‘security problem’ GoFundMe raised, I simply appended a 1 at the end of my already-long password.

They’re passwords that are by all means secure, uncrackable, and unguessable- but it was deemed no good, because there wasn’t a number.

It makes me think that just as there are heuristics for password minimums, there ought to be heuristics for password maximums– Exceptions to the baseline password rules once some certain thresholds are exceeded.

• Over 60, 75 characters? Allow an exception.
• Over 128, 256 bits of entropy? Allow an exception.

If this idea is a footgun, I can’t think of how so per se. Let me know what you think!

Hi, if you’ve read this far, my cat, Rosie, is in need of help, and I am financially at the ends of my means doing so.
Please donate to help her! The story of Rosie is both on her fundraiser page as well as on the GoFundMe page itself.
All donors who publicly share their names are enshrined on Rosie’s webpage, too.