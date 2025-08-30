This is just a rant more than anything, but I suppose if there are actual answers that would be good.



Why do websites have such terrible password requirements? I put in a fully random 20 character lowercase letter password, keepass estimates it at 80bits of entropy. Seems good? Website tells me my password is bad. So instead I put in a randomzed 10 character password with upper characters, lower characters, special characters, and numbers. Keepass estimates it at 60bits of entropy. Definitely not great.... website accepts it. I suppose the same website would think that 5Pa$$w0rd! is a great password.



Who came up with these password requirements, I dont understand.



The one that I love the most is when there is maximum password character limit of like 20 characters, or sometimes less. ???? Isn't the password supposed to be hashed before its even sent, why is there a maximum? Who decided 20 characters is a sufficiently large? Why are these restrictions being put in.