There’s a growing consensus in the tech security world that what you really want from passwords is length. That the traditional 8 character password with letters, numbers, and special characters (typically a word with hacker symbols substituted in for some characters) is less secure than a longer, less cryptic password.
(I have some reservations about this consensus that I may discuss in another post).
But a lot of sites simply will not allow “good” passwords. I’m going to be a lot less likely to use a password like “echo barrier wander versus” if the rules of the site mean that I have to instead use “echobarrierwanderversus1$A,” since it doesn’t allow spaces and requires an upper case character, a number, and a special character.
That’s without getting into sites like Netflix, which inexplicably disallow passwords over 10 characters in length, presumably because Netflix hates security and enjoys being hacked.
The ideal approach to web security would probably be to start requiring 14 or 16 character passwords, and relaxing restrictions about types of characters, but that isn’t really tenable. The public has become conditioned to thinking of roughly 6-10 characters as the norm, and probably will not put up with being required to come up with longer passwords. C’est la vie.
But! That does not mean that you have to be part of the problem. A progressive approach to passwords is to allow the traditional 8 character passwords with a mix of whatever, and also longer passwords with no special characters. Your password validator becomes every so slightly more complex (but, seriously, if you can’t implement the rules, “password must be 8+ characters; if password is fewer than 16 characters, password must have a lower-case character, an upper-case character, and a non-alphabetic character; if password is 17 characters+, no type-of-character restrictions, then you should not be coding), and you’re ready to embrace early adopters to the passphrase paradigm while not challenging the misguided social norms of the net.
And if you ever find yourself inclined to put a maximum length restriction on passwords (that is shorter than say 100 characters), you should be ashamed of yourself.