Enterprises that impose stringent password-composition policies appear to suffer the same fate as those that do not.

Additional Metadata
Persistent URL dx.doi.org/10.1145/2934663
Journal Communications of the ACM
Citation
Florêncio, D. (Dinei), Herley, C. (Cormac), & Van Oorschot, P. (2016). Pushing on string: The 'Don't care' region of password strength. Communications of the ACM, 59(11), 66–74. doi:10.1145/2934663