[usbfingers]

Note, some of that is a requirement by the Matrix protocol and is out of clients control. It's ultimately up to the server to configure different password requirements.

https://matrix.org/docs/spec/client_server/latest#notes-on-p...

> Clients SHOULD enforce that the password provided is suitably complex. The password SHOULD include a lower-case letter, an upper-case letter, a number and a symbol and be at a minimum 8 characters in length. Servers MAY reject weak passwords with an error code M_WEAK_PASSWORD.

[zzo38computer]

While it can, my opinion is the client and server should not enforce anything about password strength, but MAY warn the user about weak passwords.

The criteria that I think would be acceptable to be enforced includes:

- A maximum (not a minimum) length, which must be suitably long, perhaps 200 bytes (or longer).

- Rejecting passwords containing null bytes.

- Rejecting passwords containing sequences of bytes that cannot be transmitted using the protocol, if it is necessary to transmit the password using the protocol at all (which it might not be, since it might use a hash instead). (This depends on the protocol.)

- If despite the advice above, the client knows that the server will reject other passwords too, and knows precisely what the criteria are, the client can reject the same passwords.

Examples of some things that should be allowed (and should not be rejected) include:

- Passwords that are short.

- Passwords that include your username as a substring.

- Character classes/lack of character classes (e.g. you should not require nor prohibit punctuation).

- Control characters (if not causing problems with the protocol like mentioned above).

- Invalid UTF-8 sequences.

(Just because they are allowed though, does not necessarily mean that they should be recommended.)

Also, passwords should always be case-sensitive.

The user should decide by themself what password they want to set, although it is OK to include advice that is optional.

[miloignis]

Not to be overly pedantic, but SHOULD is not a requirement according to https://www.ietf.org/rfc/rfc2119.txt, but a recommendation that should be fully understood before making a different decision. I fully agree that it should be a different measure of complexity though!

[Y_Y]

Why is this still a thing? I think all tech people hate it, and all non-tech people use "Password1".

[throwamon]

Some tech people hate it so much that they delegate it to a password manager. ;)

[ExtraE]

As a side-note, I wish I could give lastpass a regex or pattern or something to check auto-generate guesses against (it would be great to have a [trusted] library of these, too). I often end up regenerating or tweaking my auto generate settings a few times for every new account I create to get around this stuff.

[reidjs]

Password managers are great until you need to log in on someone else’s machine. Especially when you don’t have your device on you. It’s bitten me before.

[throwamon]

If you have hundreds of unique passwords, I don't see an alternative unless you're a savant or use predictable patterns. But that doesn't mean there aren't ways to get around it. For one, using a password manager shouldn't stop you from remembering your most important passwords, especially those you expect to use in other people's machines. You can take some extra care to make these important passwords easy to remember while still being secure. I could go on but everything I'd say is quite obvious.

[reidjs]

Oh I use a password manager too. Just pointing out it isn’t a catch all