What's going on with internet passwords? Why can't organizations make some standard sensible rules?
I just had to reset 2 accounts in 2 days for both aeroplan and PC optimum, which you could argue are two very low risk accounts to be compromised. The culprit in each was that they required 10 character + passwords, and I rarely log into either, and I think of the 20 or so accounts I have, there are only 2 or 3 that require ones that long, so it always blind sides me. I refuse to write them down or use a password manager, since essentially now you've just put all your eggs in one basket.
My TD bank on the other hand up until a year ago was a 5 letter word, with a year attached, fueled by high school naivete from 20 years ago that "oh I'm sure no one's going to bother to hack little old me".
What's going on here? Some say you *have* to have special characters, others forbid it. Why the hell can't everyone get on the same page? The thing is too, that by forcing people to include special characters, it really doesn't make it much more secure. You increase the pool of guesses from 26 (letters) to 52 (letters/caps) to 62 (letters/caps/numbers) to 95 (letters/caps/numbers/special) it doesn't really change much. Before going on, it might be fun to guess that by increasing the pool from 26 (just lower case letters), to 95 (everything) which almost quadruples it, how much shorter does that allow you password to be for a given level of security?
Humans are horrible at exponential math, and while going from 62 to 95 by including special characters may appear to complicate the password immensly mostly because it includes characters that we use on a relatively rare basis, computers have no such prejudice. They just see it as a base62 problems vs a base95 problem.
The best tool is simply length, as the grain of rice on the chess board doubling after each square ending with you having more rice than exists in the world demonstrates.
Truly, a 20 digit numbers only password, is about as secure as a 10 digit that includes all 95 letters/ascii characters, but infinitely less complicated. This also equates to a length of 14 for letters only, 12 for letters/caps, and 11 for letters/caps/nums. So by including all those special characters, and even numbers and caps, it allows your password to be *1 to 4* characters shorter, based on a 10 character password.
I guess it's just example number 8000 about where the appearance of complexity and security trumps actual sensible measures.