[snarfy]

You'll have half your users with passwords like '123'. You could say it's the user's fault and their account is compromised, but when it's half the users on your site, really your site is compromised.

Better to have a minimum password entropy.

[SideburnsOfDoom]

I think that you misunderstood. What I want is that the password can be 100s of chars long, if the user so chooses. i.e. no noticeable maximum length.

I said nothing at all about minimum password lengths, and that's deliberate, it's a separate kettle of worms.

[maemre]

I understood the parent comment as the password length should be 3 digits long (hundreds of chars) rather than password itself.

[SideburnsOfDoom]

Correct, though I would phrase it as "the password can be 100s of chars long, if the user so chooses"

i.e. No noticeable maximum length for people using password managers and generating 30, 50 or 100 char random passwords, but still insulated against attacks with endless streams of input data - it is acceptable to reject 10 000 char passwords as a hostile input designed to tie up server resources.

I said nothing at all about what the minimum password length should be, and that's deliberate, it's a separate kettle of worms.

But ok: I'm also not a fan of measures such as "password entropy" or "must contain at least one from column A and one from column B". Subjectivity, naive use and changing attacks have given these a bad reputation, often deserved. Password length is not subject to such changing moods.

The parent posts comment, "A decent minimum password length, without any funky requirements, just the minimal length" is fine by me. I didn't want to add to that statement on the topic.

With all the rules in the world, some people are going to have relatively weak passwords, and we cannot entirely eliminate that. But we can also allow and encourage strong passwords by - as an easy first and minimum step - removing deliberate misguided impediments like max lengths and disabling paste.