This seems to be a very complicated topic...
In the past, experts said you should force users to make Complex Passwords like this...
- 8 to 15 Characters
- At least 1 Upper-Case Letter
- At least 1 Lower-Case Letter
- At least 1 Number
- At least 1 Special Character
From what I have read in modern times, experts say that it is safer to force users to create "Pass-Phrases" versus Complex-Passwords, because Password-Length is a larger deciding factor as to whether a Password can get guessed (e.g. "Rainbow Tables")
Of course, if a person's chose, "I like green eggs and ham" that wouldn't be very secure?!
As I prepare for my website to go live, I am still debating what to require for Passwords... :-/
Originally I had the first example above, but this week someone corrected me and said NOT to have a Password-Length Maximum.
What do you think??