The only standard we should set is a minimum length that is not too short. Something like 8 characters minimum. I don't care if you use only number or only letter, use whatever you want, it's YOUR security after all! The longer the password, the more likely it is to be unique!

My password has been letters + numbers at the end for a long time and I know it's secure because it's not a common word or numbers that have to do with me. No capitals, no punctuations, only lowercase letters and numbers. When a website forces me to use other letters in my password, I keep forgetting it and I am forced to use "Lost my password" all the time, which makes me want to use that service less and less.

Were you inspired to post this by today's XKCD comic? Link : http://xkcd.com/936/

I do not mean to single you out but this is a viewpoint that I have never really unsderstood. If you do not care about "my security" then why have a length requirement?

You don't want your product to be the one with hundreds of people having their accounts compromised. This warrants a bare minimum of password requirements.

Exactly. So you do care about the security of the users.

No, he cares about the reputation of his product being spoiled by the intellectually challenged.

that and because I needed to login into verizon today, and was reminded with error messages that they don't allow any special characters in their passwords

I think the biggest reason for the lack of a password standard is that the risk profile / threat model is not the same across all websites.

I find that some of these limitations put me in a worse position than if I were to have full control. eg. you MUST use a symbol, or using both lower AND upper case characters.

This is a joke! We're in the 21st century, people should be able to have their own set of password standards. I know we, as programmers, are always looking out for the most noobish of the end-users. But is it really necessary to go as far as to FORCE EVERYONE into picking a blatantly obviously brute-force-safe password?

In the end, the bulk of these users are just going to forget their password, add it to their password manager, and become frustrated with this chosen system. This in turn is insecure for its own reasons.. I think what we need is to remove these silly limitations altogether (although a set standard minimum/maximum character limit is completely understandable imo), and allow people to pick their own standards. The newbies out there will eventually get their accounts hacked, its inevitable imo. And when that happens they will learn to set better passwords.

For what it is worth OWASP has password guidelines:

https://www.owasp.org/index.php/Password_length_&_comple...

That should be enough? I can't imagine that you are lamenting the lack of an oversight body to to adopt and enforce a standard. Were you?

Put a standard of 8 character minimum, and hackers will start targeting 8 characters+

For example, if they are using brute force they will start it using 8characters, or use dictionary words with 8c +. Still 8c is better then 6.

Just install a password manager, or "develop" your own "algorithm" of how you create your passwords. For example a password "Hackernews"; move each character once to the left, which would give: Jsvlrtmrd. Obviously this "algorithm" has to be change every few websites, or somebody will find out your pattern.

We could start by disallowing maximum password lengths, and insisting that all printable characters are allowed in passwords.

The great thing about standards is that there are so many to choose from. Here in Britain the Financial Services Authority sets minimum password standards for online banking. I expect similar regulators in other parts of the world have their own subtly different requirements.

In the states this is handled by the FFIEC but there is no specific complexity requirement. In accordance with the rest of the guidelines the complexity requirements are supposed to be based on a risk assessment.