I tried logging into the wiki via github login to update some docu, and I'm presented with THIS:
You are required to complete a password update
before proceeding - you can use the same password.
Your password needs to be at least 8 characters long.
Your password needs to use characters from at least
3 of the following types: lower case letters, upper case
letters, numbers, special chars (eg. !, $, #, %). Your
password may not contain your username. Your
password may not be one of the 10,000 most commonly
used passwords.Your password may not have been
used in any known password leak.
Seriously, WAT?
Passwords quality is not determined by complexity, but entropy.
Little depending of how digitalized your country is the only meaningful way of handling passwords today is with a password handler if you are supposed to have lets say 100-500 different logins/codes/passwords to different things and they are all supposed to be unique.
But a password handler on the other hand pretty much removes the word part in password and makes a unique very big random heap of symbols for every login very easy to handle.
And why do humans need managers? Because absurd password rules like these make them impossible to remember everything. Granted, it would be better if the whole infra changed to use passkeys where available so no passwords are ever needed...
It's always the humans, but we can definitely make it easier for them. So in this case, the problem really is the password rules.
Password handlers have been hacked in the past and will (likely) be hacked in the future I expect.
What I tend to do - both to comply password rules, and to actually remember a password - is that I compose a password based on something like this
[1st URL character minus one] | [a standard phrase including lower/upper case, special chars] - [last two URL characters] | [someyear]
The thing with this tactic is the first time it is stolen from some webbpage and put in the password lists the password crackers get their golden ticket to start manipulating the years and try them all over the place.
And if is stolen from two places it becomes a disaster because then it is visible what char you have changed and then it falls apart.
And the first time anyone look at it then it isn’t random at all anymore, it is simply a pretty standard logical password.
And this tactic work on a couple of password at best but scale it up to for example 250different logins, I would be impressed if you remember 250unique passwords based on this setup.