So, how long until these US Government recommendations actually get implemented by the US Government?

The password requirements thst I constantly have to work around at work, for our Oracle server, are as follows:

• Must change every 3 months
• Cannot have X number of characters the same, compared to the previous password
• Max length of 30 characters (god, but this always infuriates me)
• At least 2 lowercase letters
• At least 2 uppercase letters
• At least 2 numbers
• At least 2 symbol characters (but with a whole bunch of them, like @, considered invalid)
• Cannot have the same character twice in a row (what possible purpose does this serve?!)

There’s probably others I can’t even remember, or haven’t encountered.

Interesting little history piece, but I did not see any evidence that password complexity rules don’t help which i think was supposed to be the point of the article.

They got it wrong because they never understood how these passwords existed to begin with.