Rules for good passwords seem less like security measures and more like a practical joke. Your password must have at least one uppercase letter, one lowercase letter, one number, and one special character. It must not contain dictionary words, but it must also be memorable. It must be changed every 90 days, but it must not be similar to your last five passwords. It should be impossible for anyone to guess, except for you, who must recall it effortlessly at a moment’s notice.1
All of these rules make me think of games. Not fun games, exactly—no one is lining up to play Password Compliance: The Board Game—but games nonetheless. The kind of games where the rules keep changing just as you start to understand them. The kind where no matter what move you make, you’re told you did it wrong. The kind where the only prize for winning is the opportunity to play again in 90 days when your password inevitably expires.
The First Game: Fighting Cybercriminals (Badly)
This was a game we played against the cybercriminals. The thinking behind these password rules was simple: complexity equals security. If a password contained enough random characters, it would be too difficult to guess, and hackers would give up.
The problem is that hackers don’t guess passwords manually. They use massive databases of stolen passwords and automated programs that can try billions of combinations in seconds. Meanwhile, people—who actually have to remember their passwords—fall into predictable patterns. They capitalize the first letter, swap “o” for “0,” and add an exclamation mark at the end. The result is a system where everyone thinks they’re being clever, but in reality, they’re all doing the same thing. The special characters are used to replace similar letters, like $ for S.2
Even Bill Burr, the guy who wrote these password rules, later admitted he got it wrong. In a 2017 interview, he told The Wall Street Journal, “Much of what I did I now regret.” The article’s headline summed it up perfectly: The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
The Second Game: Doing the Bare Minimum
Once people realized the rules weren’t actually helping, they started treating password creation like an annoying chore—something to get through as quickly as possible. And so began the game of doing the bare minimum.
This is where passwords like “Pa$$word1” and “Qwerty123!” come from. They technically check all the boxes, but they require as little effort as possible. When forced to update, people don’t create a brand-new password. They just increment the number at the end—“Pa$$word2,” “Pa$$word3”—until, inevitably, they cycle back to the beginning.
To stop this, companies introduced even more rules: no repeating passwords, no dictionary words, no sequences of numbers. But this just led to more predictable behavior. People started using “Winter2024!” in the winter, “Summer2024!” in the summer, and their company’s name plus “123!” whenever they needed a fallback. The rules weren’t making passwords stronger. They were just making them more annoying.
The Third Game: The XKCD Solution: CorrectHorseBatteryStaple
At some point, people started looking for a better way to play. Enter the XKCD solution, explained in this comic. Instead of creating short, complicated passwords like “Tr0ub4dor&3,” it suggests using a string of four random words—something like “CorrectHorseBatteryStaple.”
This kind of passphrase is actually more secure because the length makes it harder for hackers to crack, but it’s still easy for humans to remember. It seems like the perfect solution.
The game here is finding a series of fun, unrelated words that create a story—something absurd enough to stick in your mind but random enough to keep hackers out. It turns password creation into a kind of creative exercise: LemonJetpackCactusBridge or MoonlightToasterVelcroShark. Suddenly, security isn’t about wrestling with arbitrary rules—it’s about picking a phrase that makes you smile every time you type it.
Let’s think about the story behind CorrectHorseBatteryStaple. Maybe the horse, proud and steadfast, is on a mission to deliver a vital battery across the countryside, galloping past fields and streams. Maybe the staple is a metaphor—holding the whole adventure together, or maybe it’s just inexplicably important to the plot. Whatever the case, it’s memorable. It paints a picture in your mind, something far easier to recall than a scrambled mess of letters and numbers.
The Best Game of All: The Password Game from Neal.fun
And then there’s The Password Game from Neal.fun, which satirizes everything wrong with modern password rules by taking them to their most ridiculous extreme. It starts out simple—your password must contain a capital letter and a number. Then, slowly, it starts piling on new requirements.
At first, it feels familiar. You’ve been through this before—adding special characters, making sure it’s long enough, avoiding common words. But then it keeps going. Every time you think you’ve finally met all the conditions, another rule appears. You need a Roman numeral. A word that isn’t in the dictionary. An emoji. A reference to a live chess game.
It isn’t just a game—it’s a parody. It captures exactly what it feels like to create passwords in real life. Just when you think you’re done, some new, arbitrary requirement gets in the way.
The Password Game isn’t just poking fun at password rules. It’s holding up a mirror. It’s showing us what we’ve been putting up with for years. The absurdity. The frustration. The complete lack of common sense. It’s making fun of all of it, and somehow, that makes it feel a little better.
Because when you play The Password Game, you don’t just struggle with the rules—you realize how ridiculous they’ve always been.
Footnotes
- Here’s the latest guidance from US Government’s National Institute of Standards and Technology digital identity guidelines and UK’s NCSC’s password administration for system owners. ↩︎
- These are called Leet transformations—swapping letters for similar-looking numbers and symbols, like replacing “A” with “@,” “E” with “3,” or “O” with “0.” They were once thought to add security, but hackers caught on long ago, and now they mostly make passwords harder for humans to remember while remaining trivially easy for computers to crack. ↩︎
You must be logged in to post a comment.