[usablebytes]

The worse, I guess, is the password constraint. I really fail to understand why should any application (except banking, may be) force its users to go for difficult passwords. I agree, it weakens the security - but warn them, don't force them. It should be a guideline; not a rule. Whether I want to follow it not is my decision; my risk.

[pooper]

I can't think of a set of rules to make passwords secure. It all feels like smokes and mirrors at this point. Are we going to have a blacklist of passwords that you can't use as passwords anymore (and require users to change password on next log in as we add new items to the blacklist)?

Otherwise, the more I read about these experts who can get 90% of a 16k password hash list figured out in a few hours, I can't think how MyAuntSally1 is any safer than donkey

[DerpDerpDerp]

My bank insisting on a hard-to-remember 8 character password isn't make it more secure than letting me pick a longer passphrase.