[spectralblu]

I used to be of the mind that the service provider should let me choose whatever password since it was after all, my password and my account.

The place I'm working for right now used to have no password policy for the end users. We also had a feature that allowed them to link their Twitter accounts so that they could automatically share content out to their networks.

Eventually what had happened was that people blamed us for their Twitter accounts getting "hacked". What actually happened was that they set a dumb password (like "password") on their account with our service, authorized us to post to Twitter on their behalf, and now when someone hacked their account with us they could now post to the victim's Twitter account.

We started taking plenty of heat for this, so eventually we decided to impose a password policy (a sane one, at that) and this problem eventually went away. The users of our service aren't particularly tech savvy, so blaming them for their shoddy practices wouldn't have done us any good. It might have made sense to try to fight this if we were a company like Okta, that sells security as a service, but we don't so we had to make the decision to enforce password requirements to just stop the all the bad reviews in the app store and social media hate we were getting.