It's forced password reset time at work again.
And I think this is an opportune time for a reminder that A PASSWORD THAT YOU CANNOT REMEMBER IS USELESS.
The best passwords are ones that you can remember, but that cannot be easily guessed or bruteforced. And that means they need to be meaningful to you in some way, but meaningless and non-obvious to anyone else. It should not be a piece of public-record information, it should not refer to something that everyone knows about you, it should not be a common dictionary word.
But also, it shouldn't be line noise.
Unfortunately what a lot of administrators who have little or no practical experience in the real world, or are simply following rules written by people with a similar lack of real world understanding, often tend to do is something like this:
1. Find the list of available password constraints.
2. Go down the rule list and just check every box. Because why would they be there if you weren't supposed to use them?
3. Set password expiry to the shortest allowed interval.
This isn't a recipe for secure passwords. It's a recipe for forcing people to write down passwords on sticky notes on their desks. Or message it to themselves on their phones. Somewhere, ANYWHERE, that they can copy it from when ever they need it, because they can't remember what this month's there-was-a-cat-fight-on-the-keyboard password is.
And if you can copy your password whenever you need it, it's likely someone else with physical access can as well. It becomes less a question of "How strong a password did you choose" and more one of "How well did you hide your password".
To a large extent, as long as you're not using common dictionary words, password complexity rules are of rather little value. As long as a brute-force password scanner is including "special" (non-alphanumeric) characters in its keyspace anyway, it matters not one whit whether your password contains two of them, fourteen, or none. It matters not in the slightest whether your password contains short repeats or runs of characters. A brute-force password scanner is going to try every possible permutation anyway. Once you're already avoiding simple dictionary attacks and making an attacker scan an extended keyspace, THE ONLY meaningful parameter in the strength of a password is its length. And that means that a reasonably-obfuscated password that you can actually remember and type from memory without errors is just as strong, in the real world, as one that looks as though someone closed their eyes and dumped a bucket of billiard balls over your keyboard. Probably stronger, because you don't have to write it down or otherwise record it.
The real heart of this is that we need to move away from passwords. They are a lousy means of security. We're starting to see wider use of biometric authentication, but biometric security has its own drawbacks too — if your biometric "credentials" are successfully spoofed, how do you change them?
Two-factor authentication is becoming more widely used, but it's not perfect and it's not foolproof, and some forms — one-time-code verification via SMS, for example — can easily be bypassed by means such as SIM-swapping attacks. It is a truism of security that the strongest security schemes combine three factors — something you have, something you know, and something you are.
But if you're relying on ONE factor — something you know — and then making that one thing so cryptic and arcane that the average person cannot practically be expected to remember it without writing it down somewhere, then you don't have security any more. You have security theater.