[armabiz]

I would also add to this statement that this shouldn't be user's problem, but service problem. By forcing setting strange passwords services transfer their problem to secure passwords to user's shoulders.

Instead of following shitty password rules in forms, it's better to make it very hard or expensive to brute-force these passwords. So any heuristics to identify ubnormal/dangerous activity and take an action by decreasing attacker chances like rate limiting/captchas and so on.

  * If you see one IP trying to login with incorrect creds with really high rate - then it's probably attack.
  * If you see really lots of IPs trying to crack specific user account at the same time - then it's probably attack.

Instead of that I can see the opposite practice: service set draconian password politics, but just allow requests with incorrect credentials without any limits: "30req/sec? You're welcome, buddy! Need an API maybe?"

I can suspect something like this happened before:

"It looks like a lot of work with rate limiting and all the stuff, let's just force our users to set 10+ character passwords with one+ capital letter, one+ number, one+ special character". Oh, and in these examples there is usually cherry on cake like:

  - Dev1: "Let's not allow 2 same characters or 3 characters of same type"
  - Dev2: "Let's also force our users to change their passwords every 3 months"
  - CEO: "Brilliant ideas! We're secure now!"

These surprises are up to every developer's/another genius infosec imagination :)

So, my conclusion is that best security systems should be almost invisible to normal users and let attackers screaming.