Heard @leo mention actually using monkey123 as an early password, brought back wonderful memories of screaming and banging on desktop when locked out by the “Change Password Required” when logging in at 3am after being called in for a major hardware problem. I could handle it if it were a normal day, but to have to come up with something I remember when I come in the next day, to my own desk, not now please, while the lights are all red, and people are yelling at me.
Working at one of the most secure facilities in the world at the time, but no one got around the Security IT department. Started as simple password once we went to networked PC workstations, with gentle reminder to change password every few months. Actually not too difficult, see-sawed between 2 very similar passwords for a year or so. Then, rule to force not using last x passwords came in.
Came up with very simple solution at 3am. New password was exactly the words I wanted to say to the IT folks. Easy to remember, no need to write it down, no hints required. Funny how the same words popped in my head every time I logged in for 6 months.
I’m betting those words weren’t “monkey one two three!”
You have to love the systems that have stupid settings like only 8 characters and no special characters, and then force a change every 60 days. Nearly everyone had a 6 letter word with 2 digits at the beginning or end, and they just incremented the numbers up 1 when a change was required.
Yes, I hate these rotating password requirement. And then having to use a number and symbol, but the symbol requirements vary from site to site. What a pain…
Roll on SQRL!!!
Hey, discourse has a minimum letter count requirement, sort of like some sites password requirements.
I sure wouldn’t tell my grandchildren the password I used.
What was scary are the Microsoft online services. They used to not allow you to use secure, long passwords.
Several times on hotmail/live.com/outlook.com I tried to set a secure password and was told that my password was too long and I had to keep it under 14 digits!
We got Microsoft 365 at work last year at that suffered from the same problem! No long passwords. I believe that actually patched their system this year to allow for longer passwords - I generally use over 20 characters for passwords I have to remember. LastPass generated ones, I generally keep to under 20 characters.
i remember the days when i was working in IT as an internal support staff for a finance company. The password requirement actually made it easier to hack if people wanted to.
Also, resetting password is such a breeze. Even the password requirement for the previous company i work for who is the direct competitor of this company had a big gap.
Remember reading an assertion somewhere that if a password is limited to a short length and can’t have special characters, then it’s probably being stored in plain text rather than securely hashed, because hashing delivers the same size result regardless of input length or characters used. Don’t know if that’s true, but it’s worrying if so (looking at YOU, ISP email accounts).
The Discourse settings are very good:
I changed the minimum password length from 15 to 8 but otherwise these are the defaults. Note, no maximum password length.
A pet peeve of mine is sites that keep min/max hidden from you. Especially those that truncate the password with out telling you, then having to figure what the password actually is.
thanks Leo for making clear, much appreciated.
I use random LastPass passwords for everything, but one of the sites I use has differing text field lengths for the password field. The login page truncates to 20 or something, while the reset password once you are logged in is set really large. Get in to the site with their temporary password used at startup, change it to a 25 or 30 digit random value once you are logged in, then can’t log in to the site.
Luckily their “forgot my password” option doesn’t fall prey to this trap. It took me a while to figure what they were doing (wrong). Sent a note to the site admin. Maybe they’ll fix it someday. 
My previous comment about Discourse having a minimum letter count limit was not password related. When I typed in my comment “Roll on SQRL!!!”, I got a message there is a 15 letter minimum input required.
think that’s a completely sensible limit @Bgeeoz - it eliminates a plague on other forums: the one word post.
Discourse is designed to encourage great conversations, and so far I think they’ve nailed it.
Then there’s the ones that let you sign up with a password that won’t work (which has happened to me many times, even after hounding me against special characters—I guess their disallowed list still didn’t account for everything that would bork their login process).
I pulled no punches with my password for the forums here, and it’s been smooth sailing.
I’ve used this for a couple of passwords. Steve Gibson.
Interesting. Not being a regular user of social media, didn’t think about the unwanted effects of short replies.