I’ve seen minimums of 8 and 12, and maximums as low as 20.
AgileBits obviously has done a lot more profiling, but it would be nice if they developed a universal password formula that was still memorable. So with words, “-“ separator (or maybe “.” separator?), maximum length 18, one whole word capitalized, random single digit at the end or beginning.
That way you keep maximum entropy, keep it readable, whilst fitting within the rules of “all” sites.
Although within 5-10 years I see passkeys having largely taken over, especially because mom and pop won’t be able to forget those, and they won’t be able to forget their fingerprint or face either.
AgileBits obviously has done a lot more profiling, but it would be nice if they developed a universal password formula that was still memorable. So with words, “-“ separator (or maybe “.” separator?), maximum length 18, one whole word capitalized, random single digit at the end or beginning.
That way you keep maximum entropy, keep it readable, whilst fitting within the rules of “all” sites.
Although within 5-10 years I see passkeys having largely taken over, especially because mom and pop won’t be able to forget those, and they won’t be able to forget their fingerprint or face either.