Dumb password rules

limit of 60 is barely acceptable in my eyes, as that will probably support an xkcd pass with 4 words, but maybe not 5 or more.

Are you seriously using words averaging >11 characters? Like, yeah, I can come up with a passphrase like that, but if I'm creating a passphrase manually, I'm more likely to create a meaningful sentence using more common words.

Even if we assume that we are restricted to only 1000 possible words, a 5 word passphrase has 9.3 × 10698 possible permutations. In reality an attacker does not know our dictionary and will have to search an even bigger space.
Assuming a character set of 100 characters (which I would argue is bigger than what most people use), a 16 character password has 2.6 × 10120 possible permutations.
Either of these are practically unbreakable, but the "weak" passphrase is substantially stronger than the random 16 character password.

/r/programming Thread Parent Link - github.com