Report on a survey <https://freedom-to-tinker.com/2022/06/22/most-top-websites-are-not-following-best-practices-in-their-password-policies/> on the sorts of password policies in force on various popular websites. Too many of them still have unnecessary restrictions like the characters you are allowed to use, or even imposing a maximum permitted length. There is a linked blog post from one of the developers at Discourse, which argues that rules of any kind should be avoided. Or nearly any kind: there is a case for a minimum-length requirement (but be careful how you count it -- are you just going by Unicode “code points”? Or worse still, are you requiring passwords to be ASCII-only?), and checks against leaked password lists, plus some kind of entropy test to rule out trivial things like “aaaaaaaaaa”. Beyond that, let the user enter what they like. Showing the user a password-strength meter next to their entry as they choose a password is considered part of best practice nowadays. But in their article, they show that Facebook’s password-strength meter, for example, seems to prefer certain weak passwords (with a wider character set) over more random, stronger ones (from a smaller character set). Maybe there are circumstances out of the hands of the sysadmins, and the blame lies elsewhere: the article closes with One idea for future research: directly engage with system administrators, in order to understand their mindset on password security. Perhaps password policy is meant to be security theater--giving users a sense of safety without actually improving security. Or maybe websites have shifted their attention to adopting other authentication technologies, like SMS-based multi-factor authentication (which also suffers from severe weaknesses, as we discovered in previous research on SIM swaps and number recycling). Perhaps websites have to deal with security audits from firms like Deloitte recommending outdated practices. Or maybe websites face other practical constraints that the information security community doesn’t know about.