Fix Enforced Password (in)security!
There are some things in life that kinda annoy you, and you want to do something about them. But they seem too big. Too hard. Someone else's responsibility. Which just means you are not confident to try, and sometimes if you try hard, you can make things happen.
Even big things, like getting the more than one defence force to adopt a peacekeeping project in a foreign country, that you decided was a a good idea to help the mission... Even if you nearly get court marshalled for pushing it, as sometimes you might also get an official commendation for it. Or you may decide the traffic is going the wrong way, and lobby the council to change the direction of traffic flow despite naysayers telling you it's impossible. Or lobbying the UK government to implement a new funding scheme to specifically include school scheduling.
So far I've managed to have good success in pushing some of these impossible projects, and it wasn't easy. But there are always more to work on. See our campaigns. Here's one that needs some attention. Will you help?
We all know what this means I presume. That a good password has a lot of different special symbols, upper and lower case letters, numbers... and especially that it should be regularly changed or enforced to be changed by your IT department. This helps keep it secure in case it was compromised. Also, we should record the answers to some knowledge questions like First car and name of first pet, so these can be used to verify us if we forget our password.
Except not. The above is ALL the complete opposite of what correct password security is about.
Governments around the world put significant resources to running security research in defence and intelligence, as well as being a major provider of security advice to business.
It will probably come as some surprise that most of the largest countries governments all agree on some core aspects of password security. That we should
NOT enforce special characters, and should
NOT force users to regularly change their passwords
NOT use knowledge questions for password resets
Wikipedia has the right idea, saying that complexity rules and forced password resets just make systems less secure, due to the human element.
Fun fact: I wrote a government accredited textbook for the investigation industry, which extensively covers the use of social engineering to get information out of people, and a long history of consulting in the security industry. I was also previously on the IT security committee at my former company Edval. I lobbied hard to have the company update to the more secure and importantly current password standards on complexity and periodic forced changes.
However I was unable to get support to change, or even debate as to why we would continue enforcing standards that are directly opposite to what all the government's say on complexity (USA, UK, Australia etc). You'd think when the author of the password complexity rules himself Mr Bill Burr apologizes for them and says they make security worse it would convey some weight... But no! My old company is unfortunately just like thousands of others who can't seem to engage in debate over what SEEMS to be making passwords less secure.
Aren't passwords MEANT to be so hard to remember? Isn't it this what makes them secure from hackers? Oh dear... lol.
Founder of Password Complexity Says SORRY!
The 'rules' for password security were invented by Bill Burr from NIST in 2003, though he relied on a 1980's research, where online security was very different.
Multiple news articles where the author of password complexity rules recants, saying "(my) previous advice of creating passwords with special characters, mixed-case letters and numbers won't deter hackers" he told The Wall Street Journal. “Much of what I did I now regret,” he said on password complexity rules.
The interview resulted in a very large number of news articles around the world. It was big news, but sadly, despite this press, and updated guidelines, it still hasn't been fixed in many systems to comply with the updated guidelines.
The advice about frequently changing a password has been criticized since the report. A 2010 study by the University of North Carolina at Chapel Hill showed that updating passwords often can actually help hackers identify a pattern. Another study from Carleton University said frequent changes are more inconvenient than helpful.
Other credible research articles supporting this include
USA Government: National Institute of Standards and Technology (NIST)
This USA department is part of the Department for Commerce., and includes a significant Computer Security department. They have published a very lengthy, highly detailed, well researched publication, with input from multiple authors and stakeholders, covering Digital Identity Guidelines. One may say it's a pretty good resource and certainly government requirements and guidance on various aspects of password management.
They specifically cover password complexity requirements here: https://pages.nist.gov/800-63-3/sp800-63b.html#a3-complexity
22.214.171.124 Memorized Secret Verifiers
Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
And for Knowledge based verification, it is NOT approved for password resets, and says for example:
KBV cannot be used to satisfy verification requirements
i. The CSP SHALL NOT use KBV questions for which the answers do not change (e.g., "What was your first car?").
Experienced security leaders in private industry are of course supportive of the NIST guidance.
Incredible that so many companies and government departments are continuing to retain extremely outdated security policies that not just make life online harder, but according to the evidence and NIST government guidelines, these old policies actually significantly reduce online security. However, it takes a brave IT manager to implement the new improved security policies. Why? Because it 'Feels' less secure. It's not what so many other companies and departments are doing. Who dares removing that decades old, comforting feeling of high security that comes from password complexity rules that are so complex, you struggle to remember your own passwords. Which is kinda the point. This is exactly why these rules REDUCE password security, and increase vulnerability in organisations that are afraid to change with the times. We rush to implement new security patches, yet we are reluctant to rush new security policies that depart so much from what 'we are used to'.
People... let's BE BRAVE. Follow the damn government guidelines, and stop being precious and uncertain. Doing so will:
Reduce your organisations significant support effort to manage user password resets
Reduce user friction and speed interactions with your site, plus make users happier
Reduce sign up failures do to 'Too hard to sign up due to failing password complexity' (Yes, it's a thing)
Increase security in access to your systems
Reduce your legal liability. If any major compromise occurred due to passwords being written down etc, users would have recourse in court now, to show that your failures in adopting the current password standards as advised by government, for many years now, was a significant factor in the problem which occurred. This may result in adverse publicity costing far more in loss of consumer confidence, than the impact of having to compensate a user for actions that resulted from password misuse.
Show your organisation as a leader, unafraid to do the right thing, and not being asleep at the wheel, or afraid of adopting things that may be seen as 'reducing security' for those who have not done the extensive research.
Password complexity with enforced complex password symbols, periodic forced password changes and knowledge based verification are all the WRONG way, and the INSECURE way. Actively promote password managers, and the use of multi word phrases that are easy to remember, but very hard to guess.
Because Entropy and also Human behaviour are curious things!
USA Federal Trade Commission
The USA Federal Trade Commission reports on Forced Password Changes.
Basically Saying DON'T!
UK Government - Cyber Security
The Director General for Cyber Security, Government Communications Headquarters (GCHQ ) states this official advice on password complexity and expiry:
Password guidance - including previous CESG guidance - has encouraged system owners to adopt the approach that complex passwords are ‘stronger’. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’. Worse still, the rules - even if followed - don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.
“By simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.”
Forced Password Changes
Forced Password Changes
Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.
Changing passwords Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.
Password Strength Meters.
Password strength meters aim to help users assess the strength of their self-generated passwords. They may steer users away from the weakest passwords, but often fail to account for the factors that can make passwords weak (such as using personal information)
Be aware of the limitations of password strength meters.
Password management software can help users by generating, storing and even inputting passwords when required. (Why don't we regularly encourage this in systems!)
UK National Cyber Security Centre
Do not use complexity requirements. Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Additionally, complexity requirements provide no defence against common attack types such as social engineering or insecure storage of passwords.
For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords.
Don't enforce regular password expiry. Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.
Forcing password expiry carries no real benefits because the user is likely to choose new passwords that are only minor variations of the old
Also note: Interesting to see Freedom of Information requests on password rules being denied
UK Information Commissioner's Office (ICO)
Special characters: You should allow the use of special characters, but don’t mandate it.
What should we do about password expirations and resets?
You should only set password expirations if they are absolutely necessary for your particular circumstances. Regular expiry often causes people to change a single strong password for a series of weak passwords.
As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a breach of your systems
Microsoft Windows - Password Security
In a security update, Microsoft removed password expiry, stating official advice that:
There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them.
When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.
Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
Eliminate character-composition requirements.
3. Eliminate mandatory periodic password resets for user accounts.
Other academic research supports this:
FAILS! Organisations Who Didn't Get The Memo
Australian Securities and Investments Commission (ASIC)
Provides security advice on passwords which significantly conflicts with advice from many other sources, suggesting the (old/debunked by research) advice of:
Uses a combination of lowercase and uppercase letters, numbers, and special characters
Changing your password periodically is a good way to protect your online account. As a guide you should change your password between 1 and 4 times a year.
This ASIC site also states: For more information on creating and managing password and online safety, please visit the Australian Governments Stay Smart Online website. Except this site link is old, and doesn't take you to the correct content anymore.
Queensland Government (Australia)
The QLD Tender site has archaic password complexity rules that are so obtuse, even the instructions on password complexity don't cover all the rules. Having the same character three times within the password - perhaps not consecutively, is this outside the guidelines?
Sadly the QLD Government Tender site is not adopting best practice security guidelines. This is one example of many thousands of course, but the screenshot shows a problem we are all too familiar with. The fear in what may seem as watering down security is actually following extensively researched guidelines.
Australian Cyber Security Centre
Sadly, this respected body has not updated their archaic password policies following the research, and the advice from their Five Eyes colleagues in UK and USA, the advice from Microsoft and other security researchers. They are STILL providing the old advice, which was introduced when NIST released their guidance, since retracted by the author with a sorry!
They state that:
Passwords/passphrases are changed if they have not been changed in the past 12 months.
Passwords should be a: Minimum of 15 alphabetic characters; or a minimum of 11 characters consisting of at least three of the following character sets: lowercase alphabetic characters (a-z), uppercase alphabetic characters (A-Z), numeric characters (0-9), special characters.
They do promote passphrases,
Passwords are passé - passphrases are longer and stronger
Passwords are passé. It’s time to use passphrases instead.
Sadly though, despite correctly referring to passwords as passé they then still refer to using complex symbols , which is not the point of passphrases. It's as if someone left the old material in when they transitioned to advising from using complex passwords (with symbols), to passphrases (that replace symbols with length, and aid memorability).
Complexity is defined as using a combination of different character sets: capital letters, lowercase letters, numbers and special characters. Combining character sets can make a passphrase more difficult to guess and increases the time it takes to be cracked. For example, ‘red House #sky train’, ‘Sleep free hard idea!’ or ‘crystal onion clay @Pretzel‘.
Even their own site has bad links. Try to look up this link, then click the link under heading 'As an Individual... Use strong passwords. You will find the link goes to a weird page.
Ok, so there are likely to be many, many thousands of sites who are still promoting the insecure password policy. Making user lives harder, adding to organisational support costs, and most critically, making security worse.
We can all help. Send messages. Alert. Complain. Ask why are these old policies still in place. Please UPDATE them to reflect the modern security best practice, borne of research.
But Wait! There's more from Australia! Sadly..
Seems Australian government WAS recommending the correct best practice in online security.
If we check the good ole Wayback machine, we see what the Australian government was advising back in 2017.
Do not include Arbitrarily mixed letters, numbers and symbols in your passwords. It is also better not to change your passwords frequently, for example each month, as it leads to poor passwords being created.
The above advice is directly the text from the Stay Safe Online Government website.
If we try to go to this resource now, we are redirected to:
Which is utterly useless, yet is referenced in other areas, such as
Re What to do as an individual re passwords - is also redirected to this utter nonsense page, as is others like https://www.cyber.gov.au/acsc/view-all-content/guidance/top-10-questions-parents-have-about-online-security
Wake up Australia!
Australian Government's Cyber Security Centre changed from issuing correct password advice in 2017, to now issuing advice which conflicts with Microsoft, and USA & UK governments. The government changed their advice despite the author of the original password complexity confirming it's nonsense, and to not follow it.
I call on the Australian Government to:
1. Fix it's Cyber security website, and make it easy for anyone to find out the correct advice on secure passwords, passphrases, & password expiry.
2. Realise it's password advice is woefully out of touch with modern research, it's five eyes colleagues USA & UK. CORRECT the advice on password security. DO NOT force complex symbols or upper/lower case in passwords. DO NOT force password expiry.
3. Send a updated media release on password advice. Millions of us struggle with passwords every day. This would be a breath of fresh air to us all who interact online (i.e. everyone). Your poor advice, and poorly accessible advice on passwords ... is most unfortunate. For a Cyber advice department, you may be forgiven for thinking this is the one area that you can't possible get wrong. And it WAS perfectly correct back in 2017, oddly before the great password awakening!
10/5/2021 Small update. The ASD has acknowledged at least ONE error in their security advice, and have advised me they will get their web team to correct it. However, this is just fixing the link to passphrases, and doesn't correct the more important issue of the ADVICE re special characters and password expiry. Their current advice here conflicts with A) Their advice from 2017, and B) The rest of the world - Microsoft, UK and USA governments, and B) Their passphrase advice begins to say passwords are passe (good) but then carries on to say special symbols are needed to add complexity, which is wrong as the passphrase adds complexity in LENGTH, not special symbols.
So chalk up one SMALL win so far in the fight... but we have a way to go yet!
Facebook - SECURITY PASS
As a major global platform with billions of users, we expect Facebook to be up with modern best practices in online security. Facebook USED to require complex symbols, numbers and upper/lower case letters in passwords. However, they have removed this, and also promoted password help advice that passwords should be easy for you to remember.
However, in the great global password complexity fiasco, many IT professionals in the world are still promoting that Facebook requires complex symbols, numbers and upper/lower case.
This is poppycock, and has been for years now. Please help others discover that simpler passwords are more secure. Long, but simple and easy to remember. There is a reason major government cyber security advice is promoting that complex passwords are insecure. Because HUMANS are insecure, and hacking is not the main threat (provided the password is long). Besides, research shows that forced password characters actually HELP hackers, as their use by humans is so predictable. Who knew!
Facebook also updated their policy to not worry about passwords being reused, or too similar to previous passwords. They also reduced the minimum number of required characters to six. Because password memorability is far more secure than password complexity. As research evidence shows.
Don't believe me? Change your Facebook password to a1a1a1. It works! Now change it back. It works! Note: It's correctly not preventing password reuse (despite many thinking this aids security). By way of example, Uber DOES prevent password reuse, which with a glitch in their system, caused me to face more than half a dozen password resets, and I was forced to devise a new password each time. Reuse of passwords should be permitted. Only suspected breach should cause the user to initiate a change, and not be forced... as government cyber advice encourages.
Interestingly, Facebook also accepts passwords typed with Caps lock on. So if you enter A1A1A1 as your password, it also works, as does A1a1a1 being first cap only. Other combos are not supported. Because password simplicity and ease of use is more secure than password complexity.
Google - SECURITY PASS
Google correctly has a focus on password simplicity and memorability. It specifically does NOT require the use of special characters, numbers or upper / lower case. However, these are of course permitted if desired, just not encouraged or enforced.
Google does require 12 characters which is more than many, but with the world moving to passphrases, this is not terrible... though I suspect not necessary, and is more than government cyber advice. Google also prevents password reuse which is unfortunate and not in line with government cyber advice. Passwords should never expire, and should only be changed by users on suspected compromise.
Blocking password reuse causes new security issues, such as a user who wants to give account access to someone very temporarily, then change their password back. Except they can't. So maybe now they give their real password and not change it, to a partner who then becomes an ex partner. Besides, blocking reuse might be fair if a password was 'properly used', but in many cases a user may want to temporarily change a password within a single day, or when there are IT problems.
Maybe their borrowed keyboard has a broken key and they can't type % without copy paste, and are annoyed having to keep logging in, so temporarily change their password till the keyboard is fixed. Who knows, there are many scenarios, but forcing users to never reuse passwords, even when they are 100% sure there has been no compromise, is just friction, adds to password support calls, writing passwords down, or new passwords changing from password 123 to password1234 or something. Simple (but long) is secure.
University North Carolina Pembroke - SECURITY FAIL
When in 2017, a major story broke about password complexity, the respected USA Today newspaper cited university level research from UNCP that confirmed what was found elsewhere about forced password complexity and password expiry (Forced changes)
A copy of the research paper cited by the newspapers is found on the University server
Except that the university itself has not adopted their own research (dated 2010), or the USA Government's Cyber security guidelines, they have in the last decade made it even more restrictive and completely the opposite of the best practice in online security.
Passwords are set to expire every 90 days, can't be reused, must contain characters from three groups of the following four...but while special symbols are forced, they are NOT PERMITTED to be used as letter substitutions (e.g. o = 0 or 3 = E), and can't be more than two consecutive letters from the name or user name (e.g. Hoped is not permitted if your name was cooper...)
Goodness, talk about onerous and time wasting, but also less secure. Do you know anyone in charge at this university? Please help them discover the folly of their current advice, and help encourage them to improve their online security by simplifying passwords, in line with the USA Governments very clear advice.
MelbourneIT - SECURITY FAIL
At the time of this transcript, the URL I provided has changed domains, but the Government advice was as seen in the Internet archive of the URL as at 2020:
Which states: Do not include Arbitrarily mixed letters, numbers and symbols in your passwords. And of course MelbourneIT's security was directly contradicting the Australian Governments Cyber Security Advice which hasn't been advised as changed. One may be forgiven for assuming a web domain service would be up with current online security best practice.. as given by Microsoft, USA & UK governments, and several university research studies..
Transcript below. IT Support. Can you here me? Can you understand? Are you security aware or mindlessly sticking to the script, even when there is clear evidence it needs to change?
Stevenson (19/05/2020, 23:08:07): Hello. How can I assist you today? Me (19/05/2020, 23:08:38): Hi, I was having trouble setting a new account password. Me (19/05/2020, 23:09:03): It said I needed to put in special characters in the new password Me (19/05/2020, 23:09:52): I wanted to give some feedback Stevenson (19/05/2020, 23:10:16): Hello Chris. Are you pertaining to your email account or console password? Me (19/05/2020, 23:10:31): Or perhaps a mild complaint - it seems your password policy is out of alignment with security best practice. I wondered if you could forward this as a suggestion to your team? Me (19/05/2020, 23:10:42): Account password for all my domains Me (19/05/2020, 23:10:55): Australian https://www.staysmartonline.gov.au/protect-yourself/doing-things-safely/passwords-passphrases UK https://www.ncsc.gov.uk/collection/passwords/updating-your-approachUSA https://pages.nist.gov/800-63-3/sp800-63b.htmlhttps://en.wikipedia.org/wiki/Password#Choosing_a_secure_and_memorable_password Me (19/05/2020, 23:11:41): Can I gently point out that password rules like you have, were regarded as specifically advised against - because they are actually less secure? Me (19/05/2020, 23:12:21): I assume that the national government websites of three major Western nations should be sufficient - but most of the world's government security says the same thing Me (19/05/2020, 23:12:48): Which is DO NOT enforce password rules with special characters and other stuff (don't force users to regularly change passwords etc) Me (19/05/2020, 23:14:59): Password rules WERE regarded once - long ago - as a good idea, but a lot of research found it a lot worse to force them... Makes folk write it down or more frequently have to reset, which is worse and so on.
Anyway, given the links above seem pretty darn clear - I wondered if your organisation might want to update it's security to align with current best practice.
Because it's a bit of a pain for users, quite apart from being less secure.
I don't want to make a big fuss, but wondered if you might pass this on as a suggestion? Stevenson (19/05/2020, 23:15:10): Thank you for waiting. Apologies for late response. Thank you for confirming. Our system is requiring a strong password for your account for security purpose. It must be minimum of 8 alpha numeric characters with uppercase and special characters (e.g: !,@, #, etc.). You can use a password generator to create password, kindly see the link below:
https://passwordsgenerator.net/ Me (19/05/2020, 23:16:20): Yes. Can you see these rules are not in alignment with the Australian government IT security advice? I know these were the old way, but that was years ago. Me (19/05/2020, 23:17:45): I guess I'm gently pointing out your security policy is not in alignment with many western government nations security recommendations - which cover that password rules with special characters WAS seen as secure, but is not seen as LESS secure. Me (19/05/2020, 23:18:50): now seen seen as less secure I mean :-) Stevenson (19/05/2020, 23:18:56): Sorry if you're not happy on our security purpose for our password recommendation for our customers console and email accounts Stevenson (19/05/2020, 23:19:43): Our system will only accept the password that you're going to create if it contains minimum of 8 alpha numeric characters with uppercase and special characters (e.g: !,@, #, etc.). Me (19/05/2020, 23:20:23): I just thought you would want to have good security, so perhaps your organisation wasn't aware of the updated policy advice on secure passwords, that's all.
So what is the best way to communicate this to your team? Me (19/05/2020, 23:21:25): I can see you are advising me what the policy is. That's clear. But it's the policy itself that I am alerting you to. I am quite clear what characters are needed. Are you clear in what I am communicating to you about the Australian government best practice on password security? Stevenson (19/05/2020, 23:21:26): You can emails us at firstname.lastname@example.org Me (19/05/2020, 23:22:00): Ok, are you not able to take this to your team directly? Me (19/05/2020, 23:22:52): Can you see the links? I mean they are quite clear that password rules are not secure, and advised not to be used. So I wanted to help your team realise this, and consider a review, that's all. Stevenson (19/05/2020, 23:25:24): Thank you for your concern. But I think our password requirement is justifiable. When I'm updating my password on my social media accounts it is also requiring secure password that contains of minimum of 8 alpha numeric characters with uppercase and special characters Me (19/05/2020, 23:27:04): Are you suggesting the Australian Government is not correct in their security advice? Me (19/05/2020, 23:28:12): It seems your own site is probably using the old security rules too then.
I guess we should advise them as well, as the government advice comes from extensive research into what is secure, and rules SEEM secure, but the data shows otherwise. Stevenson (19/05/2020, 23:28:38): I am not saying that. What I'm trying to say is other accounts are also requiring same password requirements that we are also using for additional security on our customers account Me (19/05/2020, 23:29:11): Yes, it seems there are a lot of sites that have not updated their security policy in accordance with best practice. Me (19/05/2020, 23:29:21): Given that it changed a few years ago. Me (19/05/2020, 23:30:40): I suspect though, I'm not able to communicate this effectively for some reason.I just wanted to give feedback that the security advice has changed, and that you might want to review given your site is not in alignment with the current security advice, that's all. Me (19/05/2020, 23:30:58): I'll leave it at that, and try to send feedback via your email address instead. Stevenson (19/05/2020, 23:32:08): Thank you for your concern Chris. But for the mean time our system currently recognized that the password is secure if it contains of minimum of 8 alpha numeric characters with uppercase and special characters Stevenson (19/05/2020, 23:32:16): Would there be anything else that I can help you with? Me (19/05/2020, 23:33:05): No thanks. Stevenson (19/05/2020, 23:33:36): You're welcome Chris. Stevenson (19/05/2020, 23:33:44): Have a Great Day ahead and Stay Safe! Me (19/05/2020, 23:34:36): Oh, Me (19/05/2020, 23:35:08): I just checked. Facebook doesn't have Password rules. They have now removed the requirement to use special characters in passwords. Just saying... Stevenson (19/05/2020, 23:35:41): Thank you for that information, maybe it's still not updated on our system. Me (19/05/2020, 23:35:42): Min length yes, common words yes - these are banned, but capitals and special characters - these are not required anymore. Me (19/05/2020, 23:35:50): Ok. Bye
Additionally, MelbourneIT's password complexity rules are even worse than usual, marking only SOME standard special punctuation characters like brackets and hyphens as banned!!
Enter the new password. Passwords must contain one each of the following: Upper and Lowercase letters; Numbers and Special characters. Please do not use the open or close bracket characters - ( or ).
Randall Munroe from https://xkcd.com/936 nails it, with his globally recognised cartoon on the matter: