NoFluff Dispatch

 NoFluff Collection Logo
← Back to Dispatch Entries

Stop Letting Websites Gaslight You About Passwords

If a site tells you your password can only be 8–12 characters, can’t use certain symbols, or must start with a letter, you’ve just learned something very important.

They don’t know what the hell they’re doing.

Modern password security isn’t complicated. You don’t need gimmicks, you don’t need arbitrary rules, and you sure as hell don’t need a system from 2005 throwing a fit because you dared to type an exclamation point.

What you need is hashing and salting.

That’s it.

Wait, What’s Hashing and Salting?

Here’s the short version:

Hashing takes your password and runs it through a one-way recipe. Imagine blending eggs, flour, and sugar into a cake. You can’t “un-bake” a cake back into eggs. Same deal with hashing: once it’s processed, you can’t reverse it back into your password.

Salting sprinkles in something unique before baking, a random ingredient just for you. Well, really a pile of random ingredients. That way, even if two people use the same password (“Password123,” looking at you), their “cakes” come out completely different. And because of this salting, it makes them monumentally harder to crack.

The Cracking Difference

Unsalted 8-character password: Cracked in minutes with modern hardware. And once one password is cracked, it opens up every other password in that same database.

Salted 8-character password (with proper hashing): Takes decades, possibly centuries, per password.

Done Right vs. Done Wrong

Done right, even if hackers steal the database, all they get is a bunch of indecipherable nonsense. Done wrong, you get the clown show of “must include a capital letter, one digit, and can’t exceed 12 characters.”

Before you ask, no, this isn’t new. Hashing and salting have been around since the late 1970s. Developers have had nearly 50 years to get this right. If they still haven’t, it’s either incompetence or laziness, and neither belongs anywhere near security.

The Real Translation of Password Rules

When a company forces you into those stupid restrictions, they’re not protecting you. They’re advertising their incompetence. They’re saying: “We didn’t bother building real security, so we’re going to dump the burden on you.” That’s not policy. That’s negligence in a trench coat.

If everyone salted and hashed properly, password reuse across sites wouldn’t even be dangerous, because each site would generate its own unique, unusable hash. But most companies don’t bother. It’s cheaper to pretend complexity equals security.

In 2024, of the 3,158 recorded data breaches, 2,580 happened because companies didn't bother hashing and salting passwords properly. AT&T alone had 73 million exposed accounts. There is no excuse for this.

Okay, this is all fine and good, but there are services that I need that have these crappy password rules. What should I do?

Use a complicated password. And I'm going to tell you to do something that nobody else will. Get a little notebook that you can keep with you all the time and write the damn thing down.

Security experts are screaming at me now: “That's a security vulnerability!”

Sure, if you get mugged every time you leave home. Most of the time, people who steal your passwords are going to be doing it online and won't have access to your notebook. All of these tech idiots tell you to get a password manager which is fine and good if you feel like dealing with yet another thing to do.

Most people have real things to do and don't have time for that.

Get a notebook.

Oh, and you wouldn't leave your wallet lying around on your desk would you? Don't leave your notebook lying around either.

You're welcome
So next time a site tells you how many characters you’re allowed to have in your password, take it for what it really is: a big flashing warning sign.

Translation: “We don’t know what the hell we’re doing. If we can't figure out passwords, what else are we doing wrong?”

Find an email (probably their Contact Us page) and send this article, obviously somebody needs it.

Email this to the company

If you suspect a website or company of incompetence or negligence, or suspect they will reply with some techno babble, we got your back. Send an email to report@nofluffcollection.com so they can be properly raked over the coals.

Don't tolerate ineptitude.

Demand better.
Posted on: 2025-08-18
« Previous Entry | Next Entry » ← Back to Dispatch Entries
HomeAbout UsContactLinksDispatchProductsPrivacy Policy

© Copyright 2025 NoFluff Collection