Most Password Rules Are Useless: A Natural Experiment

A public credential dump enabled a collaboration between researchers and security practitioners at Indiana University to test the effectiveness of password requirements on preventing password reuse. The authors have published their results and will share advice for other security practitioners on how to reduce the risk of password reuse at universities.

Outcomes: Evaluate your own password requirements * Better understand how your requirements prevent (or enable) password reuse on third-party sites * Adjust your password requirements to better prevent reuse