Are we getting better or worse?

At least they don't limit how long the password can be to some low number, so that's objectively better than what many services enforce.
But yeah, it's a stupid rule.

This is the one that pisses me off every few weeks.

Can't even use a random generator, as they create invalid strings 🤦‍♂️

the not allowed characters are deep inside their developer documentation too 😅

Yes that might be a little dumb, but don't use passwords for server access. Use SSH keys

I’d argue that every rule except for minimum characters is bad.
Those extra rules don’t stop people from using common words because they just append a 1 or a ! if they need to. "password1!" is still insecure.
At the same time, it stops people from using secure passwords that they can remember in their heads because they need to apply different rules everywhere. It's chaos. And it limits the set of possible passwords, which helps with brute forcing or guessing.

I had one yesterday that required a special character. My special character wasn't allowed, because the only special characters allowed were - and _
WTF!!!

@JustThat Zero trust is an implementation principle, not an auth flow.

@C0D4 so they keep the hash of all your previous passwords. Love it!

@JustThat Absolutely, but that image is from a DigitalOcean setup wizard by the looks of it, which means that you can either use password or SSH keys. In that case, go with keys. The only other option would be a cloud init script, but that in it self would be quite complicated.

my favourite are banks.
max 5 characters, only alphanumeric lowercase.

yes its a max limit not minimum

@kleopi thats only 60 million different passwords if I calculated correctly.
(26 + 10) ^ 5

@JustThat How about "choose any fucking password you like but 2-factor is mandatory" 😁