So many companies in the UK don't seem to get it (or are purposefully doing bad security), we need regulation .. or perhaps just application of current legislation (I don't know) ..
There needs to be someone saying "you restricted your passwords to 8 alphabetic characters, your C-grade in charge of security can no longer hold a position that involves security, and you company must pay 50% of profits (subject to a minimum of 5% of revenue) as a fine.
With a very clear, basic, definition of minimum security levels for companies (above a certain size) to comply with.
We can't leave security to the market as the information isn't public and the market on the whole can't comprehend it.
Careful; this is things like FIPS, and it's likely to include things you don't like such as "ban the use of password managers and take technical measures to prevent pasting in passwords".
What are you referring to? The only FIPS I know are crypto standards from NIST, and they seem pretty reasonable. (Except for the EC RNG of course lol.) Even the NIST password recommendations are pretty reasonable IIRC, they recommend having no upper limit (or like 60+ characters) and not enforcing any kind of "you need at least 1 special sign and 2 numbers", except for a lower limit (at least 8 characters).
The problem with such regulations is they tend to be written by the same kinds of people - those who still assume that having meaningful SQL characters in a password is insecure, or that every device on the Internet will have a static IP.
There needs to be someone saying "you restricted your passwords to 8 alphabetic characters, your C-grade in charge of security can no longer hold a position that involves security, and you company must pay 50% of profits (subject to a minimum of 5% of revenue) as a fine.
With a very clear, basic, definition of minimum security levels for companies (above a certain size) to comply with.
We can't leave security to the market as the information isn't public and the market on the whole can't comprehend it.