Skip to content

Common passwords vs password complexity

Many websites, especially naive ones, require users to meet certain "password complexity" requirements. At AuthRamp, we instead recommend requiring users to avoid common passwords.

It makes very little sense to accept a "complex" password like P@ssw0rd (a common password) meets most complexity requirements: it contains mixed case letters, numbers, and a special character. It is also exceptionally easy for a hacker to guess.

A randomly generated passphrase, such as poppy-pond-doorframe-glove, is far more secure, but meets almost no complexity standards. However, I generated this password at the time of writing this article as an example, and it is not in any known common password lists and would be especially difficult for a computer to guess or brute force against a hash.

To help you meet your business's security and compliance requirements, AuthRamp supports both password complexity requirements and common password rejection, but in general we emphasize common password rejection because it provides better security with less fuss for end users.