Comment by tharkun__

I don't think that is correct at all.

Users are not "at least using a passphrase". They will do the simplest thing ever.

What happened when people used the password "123" and we added "Must have at least 8 chars"? They make it "password".

What happened when people used the password "password" and we added "Must have one upper case char"? They make it "Password" or "passworD".

What happened when people used the password "Password" and we added "Must have one number"? They make it "Password1".

What happened when people used the password "Password1" and we added "Must have one special char"? They make it "Password1!".

Guess what happened when people used the password "Password1!" and we added "Must be 30 chars long"? They make it "Password901234567890123456789!".

(or anything else stupidly easy based on whatever password they used to have anyway)

As in, you are missing the point I'm making. You cannot solve a people education problem by adding more and more "stringent" requirements. You need to educate them. You need to make them understand why it matters. Only then might they actually care enough to use a proper passphrase like you suggested.

In that sense I do agree with you that using a password manager is the best most people can do. I use one at work and it's a game changer. But I only use it, because it's provided by work and thus it's free for me. If they didn't provide it, guess what I would do too? If they have obnoxious rules, then I will thwart them any which way makes it easier for me. So my "change your password every 30 days and it can't be one of the last 8" password of course was my last password but it went up to <lastPassword>8 until I went to <lastPassword> again.