I think enforcing complex characters is outdated. Allowing them is enough, since someone brute forcing still needs to consider them. Of course they could try all lower, then mixed, then including complex characters in that order to catch those that don’t. But still, it’s better to have a password made up of compound words that is longer, than S0meth!ngV3ryC0nvolu73D. Or just pure random (aka password generator)
My main issue is places that have a maximum password length. This is firstly a limitation on security, but more importantly throws a red flag because of the potential reasons for having a password length limit!
I think enforcing complex characters is outdated. Allowing them is enough, since someone brute forcing still needs to consider them. Of course they could try all lower, then mixed, then including complex characters in that order to catch those that don’t. But still, it’s better to have a password made up of compound words that is longer, than S0meth!ngV3ryC0nvolu73D. Or just pure random (aka password generator)
My main issue is places that have a maximum password length. This is firstly a limitation on security, but more importantly throws a red flag because of the potential reasons for having a password length limit!