My 'favorite' password rules are incorrect rules. Recently signed up to a service, which looked like it hasn't been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.
I just wish these password requirements could be added as an attribute to the password field so password managers could generate a password that matches those rules.
One that I loved was that you couldn't set any from a list of "common passwords"... You couldn't include anything from that list in any password you used. So if the list included the word "green" then "3875429$##&!32++_@greenbean2284&$@" would be rejected.
I've never been super into the idea of using a password manager rather than just using complex but memorable passwords for everything, but policy like this basically necessitates using one.
The good old NTLM rule of max 8 characters and all converted to uppercase. It was a simple rule and if you forgot your password you could easily bruteforce it with normal consumer hardware.
Don't forget general filters for bad passwords. That means no part of your name, username, anything sequential, your birthday, your pets birthday, or any of the 1000 most common passwords
Wrote this in a different thread but the way PlayStation handles this...
Password reset is limited to 30 characters. Login isn't.
That would be fine if the password rules on reset would actually mention this and not just cut off the password at 30 characters without telling you that it is too long. So I generated the password used that on reset, saved it, login wrong...
I couldn't login to my PlayStation account because my 32 characters long password saved in my bitwarden vault wasn't correct.
Even worse, on the first support request I was basically told "looks fine on our side, bye".
Fucking macOS man. No 2 repetitive or 3 consecutive, so when using a random password generator you still can’t have loads of words and have to try multiple times to get it…
Your password must contain at least 62 characters, you may only use lowercase and uppercase characters and numbers. All characters and numbers must be unique and sorted alphabetically, numbers may only be ordered ascending.