Reworded rules for clarity:

1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
2. Max length should allow at least 64 chars.
3. You should accept all ASCII plus space.
4. You should accept Unicode; if doing so, you must count each code as one char.
5. Don’t demand composition rules (e.g. “u’re password requires a comma! lol lmao haha” tier idiocy)
6. Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
7. Don’t store password hints that others can guess.
8. Don’t prompt the user to use knowledge-based authentication.
9. Don’t truncate passwords for verification.

I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible.

i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn’t reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn’t install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.

fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren’t sitting at the office computer but other than that people are much happier about passwords now.