Ran into this insanity on chase.com earlier this week...

Leave the password decision up to your users.

This ^. If i want my password to be "password" so be it; it's my password -- just inform the user that that's probably not a good idea :)

This. Password strength estimation (like zxcvbn) is far superior to password rules.

If you're into this sort of thing, I made a little node app for accessing zxcvbn remotely (along with client libraries for Java and PHP). It's also available as a free hosted service at password.wtf

Awesome. Good stuff, Joel. I can definitely see key based passwords being mostly extinct within the next decade, replaced by biometric recognition. Authentication through facial recognition via built-in camera would be awesome.

Great read, thanks Joel.

Great article and I agree, educating users on passwords in the registration process versus forcing them is probably better.

I'm surprised you didn't mention password managers.

As a user, I can't remember the last time I actually created my own password.

I let the password manager generate it.

Obviously, password managers pose their own security risks, but those risks versus the ease and time saved they present are worth it.

Most people I know use a password manager, between all the devices I have, I couldn't imagine not using one.

Browser's nag features to "save passwords" - are always nagging.

Maybe the rise of password management mirrors the increase in opinionated, technical passwords?

Spend 5 min to read this article while the answer is obviously in asymmetrical cryptography. BitID by example which allow you to login with your Bitcoin address: https://github.com/bitid/bitid Also can be used as a better double auth with smartcard: https://www.ledgerwallet.com/products/3-ledger-hw-1