← Back to context

Comment by alexb_

3 years ago

> instead of testing password length/number of characters, I look for overall entropy in the formula of [alphabet length for char set used]^(number of letters in password).

You should do none of this. It shouldn't be the websites concern if my account gets hacked - basic password requirements are fine, but anything that goes past a character count is just making the UX worse. The requirements increase friction, which you've already put at a high level due to requiring payment.