Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
A university I worked at had a similar policy to the first one.
They wanted a single username and sign on across all IT systems but also had some really old legacy systems that didn’t support long passwords.
So they’d force everyone to use passwords that were exactly as long as the maximum legacy password length.
For me, the worst system is the Microsoft authenticator which locks me out my account for five minutes if my fingerprint doesn’t match the first time I try.