I wholeheartedly disagree A long password like “this is the best password for email” is near-impossible to brute-force, while being extremely easy to remember. A short password with special characters / numbers / lowercase + capital letters, like “Emai1_Passw0rd!” is far easier to brute-force, and a lot harder to remember (which letters did I capitalize again? Which ones did I swap with numbers? What symbol did I throw in?)
Optimal password requirements are … nothing. Because every requirement you put in reduces the parameter space an attacker needs to search. Second best is setting a minimum number of characters, because a bunch of people are stupid and will use single-letter passwords if you let them.
I wholeheartedly disagree A long password like “this is the best password for email” is near-impossible to brute-force, while being extremely easy to remember. A short password with special characters / numbers / lowercase + capital letters, like “Emai1_Passw0rd!” is far easier to brute-force, and a lot harder to remember (which letters did I capitalize again? Which ones did I swap with numbers? What symbol did I throw in?)
Optimal password requirements are … nothing. Because every requirement you put in reduces the parameter space an attacker needs to search. Second best is setting a minimum number of characters, because a bunch of people are stupid and will use single-letter passwords if you let them.