[yawaramin]

If someone is going to do this, 'At least one special character' etc. is not the way to do it. According to OWASP guidelines, a secure password must enforce a minimum length but not any other specific criteria, because they actually end up reducing password strength. Instead, the best option is to add a password strength indicator below the password entry field, to encourage the user to create a strong password. The help text can also mention using a password manager but it's difficult to do in a good way.

[grvbck]

One of my pet peeves is when rules counteract the purpose they are supposed to serve, usually because of incompetence. Two years ago, I worked for a few months for a company where time reporting was accessed through a specific web page.

They required the password to be changed monthly, have at least 10 characters, at least one number and at least one special character. On top of that – they locked out password managers and pasting. "We need to make sure you are the one logging in and not a hacker that hacked your password manager" they explained when I asked.

Out of spite I went for "Password12!" the first month and "Password123!" the month after, at which point I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

[normie3000]

> I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

Sounds like they were logging/storing passwords in plaintext.

[lmz]

Or offline cracking passwords using a wordlist.

[BenjiWiebe]

Isn't it nice that hackers give up as soon as they realize they can't paste the password in?

And password managers (keepassxc anyways) have a pretty nifty auto-type feature that gets around that anyways.

[yawaramin]

Have you heard of the Cobra Effect?