So work has blocked my password manager and reiterated their password requirements (must be unique, at least n chars, upper, lower, punctuation, plot, character development, do not write them down, expire periodically) -.-

This goes completely against the current @NCSC guidance!

We need to talk about passwords, password crackers and reasonable expectations regarding human cognitive performance.

Computers are good at cracking all kinds of codes, including passwords. This is literally what early computers like Colossus were used for: breaking Nazi codes.

There's loads of software out there for cracking passwords. Successfully guessing a password at random takes a very long time (years), so password crackers use various strategies to reduce that time to something reasonable (minutes or hours).

The most common strategy is a dictionary attack, where the software tries passwords from a list of commonly used passwords. This is effective because humans are bad at thinking up random yet memorable strings.

https://www.verdict.co.uk/most-common-passwords-2019/

To try and slow the password crackers down, system policies usually include complexity requirements, such as:
1) Mix of upper and lower case,
2) Must include a number,
3) Must include a special character,
4) No keyboard sequences, e.g. 12345, qwerty, etc.

The intent is to stop users using passwords like "password" (weak, but easy to remember), and get them using passwords like "v7*Y5x8lU" (strong, but impossible to remember).

However, what actually happens is "Password2020!", which is weak, easy to remember and compliant.

And the people who write password crackers know that this what users do! So they write software that takes the dictionary we talked about earlier and mangles using the most common user strategies for making complex passwords, e.g...

Uppercase, dictionary word, number, punctuation.

Substitute letters with numbers or punctuation (e becomes 3, a becomes @, s becomes $, etc).

And more!

While this does slow them down, it doesn't slow them down much and makes the users' lives a whole lot harder because we're now at the edge of human cognitive performance.

Brains aren't good at string manipulation and memory tasks, whereas computers are very, very good at it!

We are only human, and we have limited capabilities to create and store complex passwords. In a world where we need a lot of them, it's unreasonable for us to have unique one for every site, system or application. So we economize and re-use. Which makes things even worse!

Attackers know this and now use a tactic called "credential stuffing", where they will take usernames and passwords from a compromised service like FA, and try them in other services in case the user has re-used their password somewhere else.

This can be a big problem, and, as security professionals, is entirely one of our own making. We created the environment that promotes this kind of behaviour. What did we expect to happen?

To get an idea of the scale of the problem, try out @troyhunt's http://haveibeenpwned.com . That should be suitably frightening.

So how do we cope with this? Obviously, passwords should DIAF and be replaced with something better, but a common standard isn't likely to happen soon. The reason we have passwords is because they're a low-cost solution that works with something everyone already has: a keyboard.

If we're stuck with them, and the only way to make them remotely secure is to unique and complex passwords, then the only way we're going to cope is by augmenting our limited password generation and retention capabilities i.e. by using password managers.

Password managers give you the opportunity to have a unique password for every service, and protect your passwords with something other than a password, e.g. two-factor authentication. You also only have one complex password to remember, which makes things a lot easier.

Password managers are a legitimate way to cope with a fundamentally flawed system. They also have a vested interest in protecting you. A password manager that gets hacked isn't going to be around for long.

Until we can all agree on something better, passwords are going to be around and we are going to need password managers to ease our cognitive burden and to limit the harm caused by breaches and bad policy.

This is the end of my rant.