[jakub_g]

It's an interesting point, but I think when the user has a keylogger, they've already lost. I'd rather have websites disallow passwords shorter than ~10 chars which are trivially brute-force'able in case of a leak.

If special chars can be a signal for keyloggers, so are strings > 10 chars, and strings which are not all-lowercase/all-uppercase/first-capital. Basically to mislead the keylogger in this way, the user would have to use a short all-lowercase dictionary password :)

[anon73044]

I jokingly like the idea of using utf-8 emojis in a password. They're available on nearly all phones and web browsers, common enough to not be susceptible to those sort of keyloggers and don't show up in any of the largest dictionaries/rainbow tables.