Your password policy is a rat-tail bounty

In 1902 Hanoi put a bounty on rat tails and ended up with more rats, and your password policy is the same mistake in a nicer font.

In 1902 the French colonial government declared war on the rats of Hanoi. The rats won. Worse, they turned a profit doing it.

The French had just finished a beautiful modern sewer beneath the colonial quarter, kilometers of cool, dry tunnel under the nicest houses in town. To a rat, that's not infrastructure. It's a luxury development with central plumbing, and they moved in by the thousand. Then they started surfacing through the toilets of the men who built it, which is poetry you cannot plan. Then the plague arrived, because of course it did.

So the administration put a bounty on rats. A penny a head, open to anyone. Reasonable. Then, to spare the clerks from counting a mountain of corpses every morning, they made one small adjustment. You didn't have to bring in the whole rat. Just the tail. Proof of a dead rat, hold the dead rat.

Within weeks the tails poured in and the rat population wasn't dropping, which is strange for a population being exterminated. The reason turned up soon after, trotting around Hanoi in visibly excellent health, missing only its tail. The rat-catchers had solved it instantly. Trap a rat, take the tail, release the rat, because a live rat makes more rats and more rats make more tails. Some skipped the trapping and farmed them outright. When the government killed the bounty, the farmers released their worthless stock, and Hanoi ended with more rats than it began with. Michael Vann, a historian, found this in the French colonial archives. I'm not inventing it, tails included.

The bounty was meant to buy fewer rats. It bought tails, and a tail is a spectacularly bad stand-in for a dead rat. Economists call this Goodhart's Law: make a measurement the target, and people get very good at the measurement and forget the thing you wanted. I mention it because I've seen your password policy, and it's a rat-tail bounty in a nicer font.

Your policy can't see what it's paying for

What you want from a password is simple. Nobody can guess it. That is the dead rat. The catch is your policy has no way to measure "nobody can guess it." It can only check the easy things a computer confirms in a millisecond. Did it change since last quarter? Does it have an uppercase letter, a number, and one approved symbol? Those are the tails. So those are what it buys.

Tell a human their password has to be new and has to have a symbol, and you haven't asked for security. You've asked for a tail. So they hand you one. "Summer2024!" becomes "Autumn2024!" becomes "Winter2025!", and I know this because for two years at an old job that was my password, give or take a season. I wasn't choosing a credential every quarter. I was advancing a calendar by one square and adding an exclamation mark to show I cared. Demand complexity and you get "P@ssw0rd1", which has sat on every cracking list ever assembled, somewhere between "qwerty" and "dragon". The policy surveys all this and is thrilled. Changed: yes. Symbol: yes. The password, meanwhile, got easier to guess, not harder. You're looking at a healthy rat with no tail and writing down "one dead rat."

The question worth asking was never "does this have a symbol." It's "has this exact password already leaked." You can answer that yourself for free. Have I Been Pwned keeps a list of hundreds of millions of passwords from real breaches; screen new ones against it at signup and reset, so nobody picks a password that's already in somebody's spreadsheet. If you'd rather not wire that up by hand, a tool like Shielda flags the accounts across your stack still riding a leaked or reused password before anyone else does. Either way you're finally counting rats, not tails.

The people who wrote the rule already took it back

Now the part that should irritate you. The ninety-day rotation with the mandatory symbol, the policy you're almost certainly still running, stopped being best practice years ago. And the people who pushed it for decades have publicly walked it back.

In 2019 Microsoft pulled forced password expiration out of its recommended Windows security baseline. Microsoft, a company not famous for enjoying the words "we were wrong," called the policy it had pushed for twenty years "an ancient and obsolete mitigation of very low value." The reasoning was the rat thing: forcing changes makes people pick predictable passwords, and expiry barely helps, because anyone who steals a password uses it that afternoon, not in eleven weeks when it's politely scheduled to rotate.

NIST, the US standards body everyone else quietly copies, went further. It didn't just discourage scheduled rotation, it removed the option to require it, scrapped the character-soup rules, and said to screen against breach lists instead. Change a password when you have reason to think it leaked, not when the calendar says so.

And if your last line of defense is "our auditor makes us," I have bad news about your auditor. PCI DSS accepts the no-forced-rotation model. ISO 27001 doesn't mandate a schedule. SOC 2 wants proof your access controls work, not that you make everyone retype a password each quarter for sport. The audit stopped asking for this. Your policy is just the last one in the building who hasn't heard.

Where SMBs get this wrong

They trust the strength meter. A green "strong" bar means the password made the meter happy. The meter is a mood ring. "P@ssw0rd1!" turns it green and is still on every wordlist on earth. They rotate everyone on a schedule and feel like responsible adults doing it. What they've built is a company-wide habit of predictable iteration, a thoughtful gift to anyone who's seen one of last year's passwords. They decide it's a people problem. The people are behaving rationally inside a dumb incentive, like the rat-catchers, who were the sharpest operators in the whole story. You don't fix that with a sterner email. You fix the incentive.

One thing worth understanding

Here's the idea worth keeping after you've forgotten the rats. A security control is only as good as what it measures, and almost every password rule measures compliance, not safety. "It changed and it has a symbol" and "nobody can guess it" are two different sentences, and your policy has spent years proudly checking the first while believing it checked the second.

So the move isn't a stricter version of the same metric. More symbols and faster rotations grow fancier tails while the rats keep breeding in the walls. The move is to measure what you wanted all along. Length beats complexity badly, because every extra character multiplies the attacker's work, while one lone symbol mostly teaches them to also try "a" as "@". A breach-list check catches the passwords that are already public. And since any single one can still leak someday, a second factor turns a stolen credential from a catastrophe into a mild inconvenience.

That makes the to-do list short and mostly subtractive. Set a long minimum and let people use a passphrase instead of a punctuation riddle. Screen new passwords against a breach list when they're set and reset. Switch off scheduled expiry and force a change only on real evidence of a leak. Put multi-factor authentication, MFA, on anything that could ruin a week. A password manager makes "long and unique everywhere" survivable for an actual human, but that's its own post, conveniently next week's. You'll end up with fewer rules and a safer company, which feels like getting away with something. It isn't. That's just what it looks like when the incentive finally points at the goal.

One last thing

The French never had a rat problem they couldn't solve. They had a bounty that paid for the wrong thing, and the rats, being rats, optimized it to perfection. Your people aren't the problem either. They're just handing you the tails you decided to pay for. The rats, for the record, were never the villains. They read the policy more carefully than the people who wrote it.