Password guidelines for a modern online forum, like Linux Mint Forums

[Spice]

When I signed up here, you made me compose a forum password of such arbitrary rules:

Password must be between 10 characters and 32 characters long, must contain letters in mixed case, must contain numbers and must contain symbols.

I mean, sure, the password must be secure, but how did you came up with such arbitrary rules that the password must consist of letters in mixed case, numbers, and symbols? Is there a specific online security expert body which still gives out guidelines along these lines in 2018?

For some better ideas on forum password rules, you may want to consult with: https://nakedsecurity.sophos.com/2016/0 ... d-to-know/

The section The don’ts

No composition rules

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.

How am I supposed to conveniently interact with the forum from a mobile device if I had to enter passwords like &%#@_?

I sincerely hope that the security and design decisions that you spare on your forum, you concentrate all those resources to make the core OS better.

[Schultz]

Is it new that the passwords here must contain a symbol? I don't have a symbol in mine.

[Cosmo.]

IIRC this has been changed after the attack against Mint website 2 years ago. There exist different opinions regarding the security rules for password. The solution is simple: Use a password manager to fill in the credentials (like KeePassX) and the arguing against compositing rules reduce to zero. I have such a strong password - a separate one for any account I have, and entering them manually would really be a difficult task (with likely much wrong attempts for login in because of a typo). But actually I have never typed the passwords myself and I do not even know them. (Of course I could look them up in my password manager, but I really do not know, why I should want to do that.)