I’m currently testing password policies on websites to get a feeling for what might be an acceptable policy/trade-off that provides good protection for our users without frustrating them.
I was surprised to find out that each and every website I tested allowed me to set a password that was equal to my username or e-mail address. If it couldn’t be set to the username, it was only because it didn’t meet the minimum length requirement. Equal to e-mail address worked every time. Even on sites that had rather strict policies otherwise.
Instinctively, I would think that this is no more secure than using a stupid password, such as “1234” or “password”. I’m also pretty sure that NIST SP 800-63B advises against such context-specific passwords (i.e. containing application name, username or user e-mail address). Unfortunately, I cannot verify this claim, as the NIST publication seems to be currently unavailable due to the US government shutdown.
Am I wrong in thinking that such context-specific passwords should be treated in the same manner as “stupid” passwords? If yes, what am I not seeing?