Because it took someone a long time to understand lookahead and other regex rules needed to get it setup on their system and they're both proud of it and loath to replace it!
One reason not covered here is a lot of companies still contractually require their software services vendors to follow old, outdated password rules that reflect Burr’s old password requirements. This includes password complexity rules and forcing regular password changes on employees. The companies wrote a bunch of security requirements a few years ago but no one is really responsible for making sure those requirements stay modern, for example removing password requirements and instead requiring webauthn instead. So what was supposed to be something that made vendors do the right thing with security has now become something that makes these companies unable to adapt to new security theories and practices.
Because user education is hard+costly, you can't just so away with a policy without enforcing high-entropy passphrases or something that don't contain guessable patterns or leaked phrases.
But my favorite: out of date thinking by decision makers. Since you have 2fa anyways, who cares? Is one sentiment. We will have passwordless, replace our auth provider or whatever silver bullet who cares is another.
Just updating the policy and doing the hard work of user education and improved UX doesn't have a good cost-benefit ration and it doesn't show managers spending a lot on vendors and drumming up costs of the alternative to show they're actually also saving money.
The list goes on. Passwords aren't sexy anymore so they don't ger invited to budget dates.
- minimum of 21 characters
- has to contain capital letter
- numbers
- special character
I had a discussion with someone on the IT department on why this was unnecessary and he agreed but said they were forced by higher ups.