I'm sick of the tyranny of websites who say your password must include at least one shady character, one special agent, and a number of other filthy things. Only makes your passwords impossible to remember, hard to type, and not a bit more secure.
"mynameisronalddumpandimanorangehairedorangutan" is a million times more secure than "P4$$word".

Password manager
99 random chars
cap, low, numbers, symbols

In a world of millions upon millions of leaked account details and password hashes being reversed (Md5, sha1) and rainbow tables making people's life easier, why would you not want to make a password as complicated as possible?

Also, if you're using stupid pA$$W0Rds! That will be used in a brute force attack anyway, that's you're problem.

Please, evolve by using a password manager and remember only 1 password.

u.u

@Abrynos max chars drive me nuts, or "your password is too long"

Well how long is tooo long!

Aren't password managers single point of failure? Someone gets access to it and now they can get into your bank, e-mail, paypal and other stuff.

@arraysstartat1 that's why we have multi factor authentication.

I like to use a fixed calculation rule, so I don't have to remember anything nor using any pwd generator.
Like for example: substitute url vowels with o, first letter uppercase, add .0.
For devrant.com would be:
Dovrontcom.0

pass 98% of tests

@h4xx3r Sure! And then forget that one master password or (lose your device if the password manager is installed locally, or wait for the service to be hacked if it's a cloud-based service), and lose all your passwords at once.

And when they have a max length so you are in the middle of typing a long password to fit all the stupid requirements then you look up and its stopped you at 3 characters.

The best way to make a password secure is to make it as long as possible. Here's an easy way to generate pseudo-random passwords that can be generated on-the-fly:

Example: imagine you want a password for your Google account. Goo somehow looks like 600, and glE somehow looks like 913.

Those two numbers, 600 and 913, are your seed, and they are the only thing you need to remember.

Now, construct a sequence of numbers using the Fibonacci method (N[i] = N[i-1] + N[i-2]) and the chosen seed:

600, 913, 1513, 2426, 3939, 6365, 10304, 16669, 26973

Now put those numbers together and you have your random password:

6009131513242639396365103041666926973

It's impossible to reconstruct it without knowing your seed, the digit distribution is random, and DUE TO ITS LENGTH, brute-force trials won't discover it even though you are using only digits (they DON'T KNOW that). Adding a special character to that string doesn't make it any more secure.

@acz0903 I solved those issues by running a nextcloud instance from home, everything is syncretized with everything in a private way ;)

I'd still be ok with the instructions, only if they display the instructions also while I'm typing in the password to login. I'm sure i can crack my own password.

Forgot password is a nice way to waste time. People working on startup ideas (especially workplace productivity) have a really good problem at hand to solve. And no saved passwords is not the way (insecure ti say the least)

I feel you.
setting up rules like those don't cause passwords to be safer. they just give the boundaries for rainbow tables.
but they block high entropy, easy memorizable techniques like diceware.
basically "long, simple passwords" will outperform cryptic short ones.

IMO maximum length is the worst idea ever (just hash it!), and believe it or not there are still people/organizations forcing you to change your password every x weeks.

luckyly, we see a growing adoption of "magic links", 2FA and "sign in with..."

@h0ru5 now, I agree with everything outside of Sign in with... While I use it a lot, I believe it's a really shitty option. Say you want do delete your Facebook account, now you lose access to all these other services.