When you set or change your BNDRY password, the rules might look a little different from what you're used to. We ask for length, we ask that you don't reuse recent passwords, we ask that the password isn't trivially derived from your account, and we block passwords that appear on standard lists of commonly used or previously breached passwords — and that's about it. We don't force you to mix uppercase, lowercase, digits, and symbols, and we don't make you change your password on a schedule.
There's a reason for that, and it's the same reason the US National Institute of Standards and Technology (NIST) has been telling organisations to drop those rules for nearly a decade. This article walks through the password rules BNDRY enforces, why they look the way they do, and how to pick a password that satisfies them comfortably.
The rules
Every BNDRY password must meet the following requirements.
| Rule | Requirement |
|---|---|
| Minimum length | 12 characters. |
| Maximum length | 128 characters. Long passphrases are encouraged — see Choosing a strong password. |
| Can't be (or contain) your email | Your password can't be your email address, and can't contain your username. Because BNDRY uses your email address as your username, these are effectively the same rule. |
| No commonly used or breached passwords | Passwords that appear on standard lists of commonly used or previously breached passwords are rejected, even if they otherwise meet the length requirement. For example, password123456 clears the 12-character minimum but is one of the most-guessed passwords in existence, so it's blocked. |
| No recent reuse | You can't reuse any of your last four passwords when changing it. |
What you'll notice is missing from that list: any rule about mixing uppercase, lowercase, digits, and symbols, and any rule that forces you to change your password every 60 or 90 days. Both omissions are deliberate.
Why no character complexity?
Most password policies you've encountered probably required a specific mix of character types and forced you to rotate your password every few months. NIST formally recommended against both practices in 2017 with the publication of SP 800-63B, and the latest revision (SP 800-63-4, finalised in 2024) keeps that position.
The reasoning, in short:
-
Composition rules produce predictable patterns. When forced to add a symbol and a digit, people overwhelmingly choose things like
Password1!,Summer2025!, orWelcome123. Attackers know this, and these are the patterns they try first. BNDRY blocks these specific patterns directly by checking every new password against a list of commonly used and previously breached passwords — a much more effective defence than a composition rule that only nudges users toward the same predictable shapes. -
Length matters far more than character variety. A 16-character all-lowercase passphrase like
correct horse battery stapleis many orders of magnitude harder to crack thanP@ssw0rd!. Adding length adds genuine strength; adding a forced symbol mostly adds annoyance. -
Forced rotation makes passwords weaker, not stronger. When people are made to change passwords frequently, they make small, predictable modifications —
Spring2024!becomesSummer2024!becomesAutumn2024!. An attacker who learns one variant easily guesses the rest. NIST's recommendation is to only force a password change when there's a specific reason to believe the password has been compromised. - Complex passwords get written down. A password complex enough that you can't remember it tends to end up on a sticky note, in a spreadsheet, or in an email to yourself — all of which are far worse than a memorable strong passphrase.
So BNDRY follows the modern guidance: require enough length to defeat brute-force attacks, make sure the password isn't trivially derivable from your identity, prevent immediate reuse, and otherwise stay out of your way. Choose anything you can remember that satisfies the length requirement, and you'll have a password that's stronger than the typical complexity-rule output.
Choosing a strong password
The easiest way to comfortably clear the 12-character minimum is a passphrase: three or four unrelated words strung together, with or without spaces. A few illustrative examples (don't use these exact ones):
correct horse battery staplepurple-mango-quiet-rivermountain typewriter velvet 47
Passphrases are easier to remember than complex passwords, longer (and therefore much stronger) than typical eight-to-ten character passwords, and naturally avoid the predictable patterns attackers target.
If you'd rather not choose a password yourself, use a password manager. The manager will generate and store a long random password for every account you have, including BNDRY, and you only need to remember the master password. This is the approach the BNDRY team uses internally and the approach we recommend to customers handling sensitive compliance data.
Whichever approach you choose, two things to avoid:
- Don't reuse a password you use elsewhere. If another service is breached and your password is leaked, attackers will try the same email-and-password combination against every system they can find — including BNDRY. A password used in only one place limits the damage of any one breach.
- Don't pick something that personally identifies you. Your name, your organisation's name, your birthday, or a pet's name are all easy guesses for an attacker who knows anything about you.
Multi-factor authentication
A strong password is one layer of defence. Multi-factor authentication (MFA) is another, and a much stronger one — even a perfectly chosen password can't be stolen and reused if the attacker doesn't also have your second factor. BNDRY supports MFA via authenticator apps and we strongly recommend enabling it on every account.
Comments
0 comments
Article is closed for comments.