Obsolete password requirements cost over 50 billion dollars in lost productivity per year—solve the problem forever with these new password requirements!

by worstideas


You’re probably familiar with web sites that have very particular password requirements:

  • “Your password must contain a number, capital letter, and special character.”
  • “Your password must contain the name of a Triple Crown-winning horse.”
  • “Your password cannot contain your username.”

The purpose of these requirements is usually to either:

  1. Require that the password not be instantly guessable by hackers
  2. Require that the password be specific to a particular web site. Although this is quite rare, it does exist. For example, a bank could require that “$” appear in a password four times, which would prevent you from re-using your other passwords. (This is the same principle used by colleges that have weird essay prompts, preventing an individual from re-using other essays.)

The issue:

There are relatively few variants of these requirements, and they are all extremely unimaginative.

For example, the password pa#ss@W0rd can probably be used on most sites—so when one of them gets hacked, your bank account will be imperiled!

Three proposals:

The following proposals are for more creative methods of enforcing unique passwords (which generally would not be usable between sites).


Figure 1 / Proposal 1: Require that CURVED letters and ANGULAR letters alternate in the password. Very straightforward!

Font nerd bonus feature: See bonus figure A (at bottom) for more details about the degree to which this property depends on the specific font you are using.


Figure 2 / Proposal 2: Require that a password contain a number, letter, Chinese character (light blue), Devanagari syllable (purple) Greek letter (dark blue), and accented letter (orange). Those specific character sets are arbitrary, so different users could be given different language requirements. There is no shortage of options: there are ~32 character sets for currently-written languages in the current Unicode build plus approximately 100 historical scripts no longer in standard use.

Downside to this method: If you got really unlucky, your password might require the following: an Egyptian hieroglyph, Chinese obsolete seal-script character, Sumero-Akkadian cuneiform mark, and linear B symbol. Probably you should just register a new user account at that point. If you got incredibly unlucky, the site might even require a script that is not in Unicode yet (perhaps Maya glyphs). In that case, presumably you would have to draw (or carve) the appropriate Maya glyph and upload a picture with your cell phone camera.


Figure 3 / Proposal 3: Require that a password solve a certain type of visual puzzle. In this case, we require that a continuous line be drawn through all the symbols (this is shown as a yellow highlight).

Downside to this method: this puzzle would be extremely font-specific; the “p -> c” line and “c -> 6” line are a bit questionable even here.


If you run a web site, you should change your obsolete password requirements immediately!

PROS: Makes password re-use between sites impossible.

CONS: Probably you’ll use a password manager and then it will get hacked and/or you’ll forget the master password.


Bonus Fascinating Typeface Fun Fact Figure A: As a surprising feature of English typography, curved-and-non-curved letters (which are important to distinguish in the “curved vs angular” proposal in Figure 1) are consistent among nearly all non-handwriting fonts.

For example, a capital “M” is nearly always 4 straight lines, whereas a lower-case “m” is almost always two curved arches. The only counterexample I found in a non-exotic font was that a lower-case “j” is normally curved, but it is completely straight in the font “Futura.”  Futura is one of the few not-totally-a-gimmick fonts that defies the conservation-of-letter-curve.