Comment by jandrese

IMHO there are only 2 requirements for a good password:

1. It must be close to impossible for a computer to guess.

2. It must be easy for a human to remember.

Virtually all password policies focus exclusively on point #1, with the vast majority just giving cargo cult instructions without really understanding the state of the art. Almost nobody puts any emphasis on point #2, which is arguably more important as it is the source of most breaches. If a person can't create a password, ignore it for a week, and then remember it immediately for the next login it's a bad password. This is where requirements like "no more than two characters from a character set (lower case, upper case, numbers, punctuation) in a row" are actively counterproductive. If the password has to be so convoluted that the user is forced to write it down then you've undermined your own security. Worse, it means the help desk will be forced to reset many many passwords which increases the chances of an impersonation attack succeeding.