Interesting little history piece, but I did not see any evidence that password complexity rules don’t help which i think was supposed to be the point of the article.

They got it wrong because they never understood how these passwords existed to begin with.

So, how long until these US Government recommendations actually get implemented by the US Government?

The password requirements thst I constantly have to work around at work, for our Oracle server, are as follows:

• Must change every 3 months
• Cannot have X number of characters the same, compared to the previous password
• Max length of 30 characters (god, but this always infuriates me)
• At least 2 lowercase letters
• At least 2 uppercase letters
• At least 2 numbers
• At least 2 symbol characters (but with a whole bunch of them, like @, considered invalid)
• Cannot have the same character twice in a row (what possible purpose does this serve?!)

There’s probably others I can’t even remember, or haven’t encountered.