Comment by Xss3
1 day ago
Hot take, password requirements are a necessity to prevent id10t errors.
Another hot take, calling them passwords instead of pass phrases was a mistake.
People have no problem making a secure pass phrase like 'apophis is coming in 2029’.
It uses special chars and numbers, but some websites would reject it for spaces and some for being too long.
I say these are hot takes despite aligning with NIST because I've never seen a company align with them.
"password too long" for password shorter than a megabyte is the most idiotic error ever created.
It only makes sense in HTTP basicauth and other system that keep plaintext passwords.