The stupidity of the password complexity controls on many websites never ceases to amaze me – but I am particularly not amused when I notice today the idiocy of the official Scottish Government policy. They have a “password strength” meter which actively prevents many strong passwords, and promotes defective ones which are likely to be easily guessable. So this is the policy.
So I tried for a minimum password the site would accept (note that I did not actually use this!). According to the Scottish Government – P@ssword1 is a strong and acceptable password for their site, regardless of the fact that it is eminently guessable and is on every password dump out there.
Actually, I did test a site the other day where they took a different and better approach. Instead of trying to apply one of these forced complexity policies – they set a minimum length of 10 characters, and a block list of the top 10,000 bad passwords. Obviously this had to be enforced server side (trying to enforce it client side would be a whole different sort of nightmare), but it was ultimately much more successful in protecting people from the consequences of their own bad practice than the standard methodologies.